CVE-2024-35223: 
vulnerability analysis and mitigation

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability was discovered where Dapr sends the app token of the invoker app instead of the app token of the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. The vulnerability was discovered in versions 1.13.0-1.13.2 and was patched in version 1.13.3 (Dapr Release, GitHub Advisory).

The vulnerability stems from incorrect token handling in Dapr's authentication system. Dapr uses two types of tokens: APP_API_TOKEN for Dapr to authenticate to the app, and DAPR_API_TOKEN for the app to authenticate to Dapr. When Dapr needed to communicate with another instance, it would mistakenly include the APP_API_TOKEN of the invoker app in the request instead of using the correct app token of the invoked app. This behavior occurred specifically during gRPC proxy service invocation (GitHub Advisory).

The vulnerability allows receiving apps to access the calling app's API token, which could be used to make unauthorized calls directly to the originating app if it is listening on 0.0.0.0 or an accessible IP address. This could potentially compromise security and authentication mechanisms (Dapr Release).

Users are advised to upgrade to Dapr version 1.13.3, which contains the fix for this vulnerability. The fix ensures that Dapr uses the correct app token during gRPC proxy service invocation and prevents the leakage of invoker app tokens (Dapr Release, GitHub Advisory).

The vulnerability was initially reported as an issue on GitHub by Benjamin Delay, and the Dapr team responded by developing and implementing a fix. The fix was merged through a pull request and subsequently released in version 1.13.3 (GitHub Issue, GitHub PR).