A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one.
Users who have configured access control policies for service invocation are strongly encouraged to upgrade Dapr to the respective patch version 1.17.5, 1.16.14, and 1.15.14.
This vulnerability impacts Dapr users who have configured access control policies for service invocation. An attacker who can reach the Dapr HTTP or gRPC API could:
admin%2F..%2Fpublic) to reach an allowed path while the method started from a denied prefix.%23) or query (%3F) characters to cause the ACL to evaluate a different path than what was delivered to the target application.Users should upgrade immediately to their respective Dapr version 1.17.5, 1.16.14, and 1.15.14.
Dapr supports access control policies for service invocation, which allow operators to restrict which methods an application is permitted to call on a target app. When a request arrives, Dapr evaluates the method path against the configured policy before dispatching to the target.
Prior to this fix, the ACL and the dispatch layer normalized the method path independently. The ACL used purell.NormalizeURLString, which decoded %XX sequences, resolved ../, and stripped # and ? as URL delimiters. The dispatch layer used the raw method string. This mismatch meant the ACL authorized one path while the target application received a different one.
For example, a method of admin%2F..%2Fpublic was normalized by the ACL to public (allowed), but the target application received admin/../public.
The gRPC API was the more dangerous vector because gRPC...
1.16.141.17.51.15.14Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:N8.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N