漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Missing Authentication on Streaming gRPC Replication Endpoint
Vulnerability Description
The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data. Temporal Cloud is not affected.
CVSS Information
N/A
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Temporal 安全漏洞
Vulnerability Description
Temporal是temporal.io开源的一个持久化执行平台。 temporal存在安全漏洞,该漏洞源于前端gRPC服务器的流式拦截器链未包含授权拦截器,导致配置ClaimMapper和Authorizer时,流式AdminService/StreamWorkflowReplicationMessages端点接受无凭据请求,可能允许具有网络访问权限的攻击者未经身份验证打开复制流,可能导致数据渗漏。
CVSS Information
N/A
Vulnerability Type
N/A