CVE-2023-37918

Name of the Vulnerable Software and Affected Versions Dapr versions prior to 1.10.9 Dapr versions prior to 1.11.2

Description A vulnerability has been found in Dapr that allows bypassing API token authentication with a well-crafted HTTP request. This issue impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the dapr-api-token in the request is invalid or missing. The vulnerability is related to the allowlisting of healthcheck endpoints, which permitted all requests whose URL contains /healthz to bypass the API token authentication check.

Recommendations For Dapr versions prior to 1.10.9, upgrade to version 1.10.9 or later. For Dapr versions prior to 1.11.2, upgrade to version 1.11.2 or later. As a temporary workaround, consider restricting access to the /v1.0/healthz and /v1.0/healthz/outbound HTTP APIs to minimize the risk of exploitation. Avoid using URLs that contain /healthz in the query string until the issue is resolved.