漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Incorrect Authorization in wasmCloud
Vulnerability Description
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
wasmcloud-otp 安全漏洞
Vulnerability Description
wasmcloud-otp是一个 wasmCloud 服务器进程,它安全地托管并为参与者和能力提供者提供调度。 wasmcloud-otp 存在安全漏洞,该漏洞源于在0.52.2之前的版本中,参与者可以绕过能力授权。参与者通常需要声明其入站调用的功能,但是有了这个漏洞,参与者的功能声明不会在接收调用时进行验证。这损害了参与者的安全模型,因为他们可以从链接的功能提供者接收未经授权的调用。
CVSS Information
N/A
Vulnerability Type
N/A