Dapr 1.10.9 [security]

This update contains security fixes:

• Security: API token authentication bypass in HTTP endpoints (Security advisory)
• Security: Potential DoS in avro dependency (CVE-2023-37475)

Security: API token authentication bypass in HTTP endpoints

Problem

Security advisory

A high-severity vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request.

Impact

The vulnerability impacts all users on Dapr <=1.10.9 and <=1.11.2 who are using API token authentication.

Root cause

The Dapr sidecar allowed all requests containing /healthz in the URL (including query string) to bypass API token authentication.

Solution

We have changed the API token authentication middleware to allow bypassing the authentication only for healthcheck endpoints more strictly.

Security: Potential DoS in avro dependency (CVE-2023-37475)

Problem

CVE-2023-37475

An issue in the third-party avro dependency could cause a resource exhaustion and a DoS for Dapr.

Impact

This issue impacts users of Dapr that use the Pulsar components.

Root cause

The issue was in a third-party dependency.

Solution

We have upgraded the avro dependency to version 2.13.0 which contains a fix for the reported issue.