Vulnerability Description
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wasmcloud | Host Runtime | < 0.52.2 |
Related Weaknesses (CWE)
References
- https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dcPatchThird Party Advisory
- https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88Third Party Advisory
- https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dcPatchThird Party Advisory
- https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88Third Party Advisory
FAQ
What is CVE-2022-21707?
CVE-2022-21707 is a vulnerability with a CVSS score of 6.3 (MEDIUM). wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability a...
How severe is CVE-2022-21707?
CVE-2022-21707 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21707?
Check the references section above for vendor advisories and patch information. Affected products include: Wasmcloud Host Runtime.