CVE-2022-21707 MEDIUM

CVE-2022-21707: Incorrect Authorization in wasmCloud

Vendor Wasmcloud

Product wasmcloud-otp

Weakness CWE-863 · Incorrect authorization

Published January 21, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Adjacent

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.

Key dates

02Disclosure timeline

January 21, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-21707 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2022-21707: Incorrect Authorization in wasmCloud

01Description

02Disclosure timeline

03References

04Related CVE