CVE-2022-21707
MEDIUMwasmCloud Host Runtime < 0.52.2 - Missing Authorization for Actor Capability Claims
Title source: llmDescription
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/wasmCloud/wasmcloud-otp/security/advisories/GHSA-2cmx-rr54-88g5
Patch, Third Party Advisory x_refsource_misc
https://github.com/wasmCloud/wasmcloud-otp/commit/fd07262074b98b06106a31fd1957dc2319d438a5
Scores
CVSS v3
6.3
EPSS
0.0095
EPSS Percentile
56.6%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
CWE-863
Status
published
Products (1)
wasmcloud/host_runtime
< 0.52.2
Published
Jan 21, 2022
Tracked Since
Feb 18, 2026