Cross Namespace Access via Batch Operation

A writer role user in an attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster. Exploitation requires the attacker to know or guess specific victim workflow ID(s) and, for signal operations, signal names. This was due to a bug introduced in Temporal Server v1.29.0 which inadvertently allowed an attacker to control the namespace name value instead of using the server's own trusted name value within the batch activity code. The batch activity validated the namespace ID but did not cross-check the namespace name against the worker's bound namespace, allowing the per-namespace worker's privileged credentials to operate on an arbitrary namespace. Exploitation requires a server configuration where internal components have cross-namespace authorization, such as deployment of the internal-frontend service or equivalent TLS-based authorization for internal identities. This vulnerability also impacted Temporal Cloud when the attacker and victim namespaces were on the same cell, with the same preconditions as self-hosted clusters.

N/A

通过用户控制密钥绕过授权机制

Temporal Server 安全漏洞

Temporal Server是Temporal公司的一个微服务编排平台。 Temporal Server存在安全漏洞，该漏洞源于攻击者控制的命名空间中的写入者角色用户可以在同一集群上的受害者命名空间中发送信号、删除和重置工作流或活动，可能导致攻击者利用批处理活动代码中的命名空间名称值错误操作任意命名空间。

N/A

N/A