CVE-2022-21707— Incorrect Authorization in wasmCloud
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-21707
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Incorrect Authorization in wasmCloud
Source: NVD (National Vulnerability Database)
Vulnerability Description
wasmCloud Host Runtime is a server process that securely hosts and provides dispatch for web assembly (WASM) actors and capability providers. In versions prior to 0.52.2 actors can bypass capability authorization. Actors are normally required to declare their capabilities for inbound invocations, but with this vulnerability actor capability claims are not verified upon receiving invocations. This compromises the security model for actors as they can receive unauthorized invocations from linked capability providers. The problem has been patched in versions `0.52.2` and greater. There is no workaround and users are advised to upgrade to an unaffected version as soon as possible.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
wasmcloud-otp 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
wasmcloud-otp是一个 wasmCloud 服务器进程,它安全地托管并为参与者和能力提供者提供调度。 wasmcloud-otp 存在安全漏洞,该漏洞源于在0.52.2之前的版本中,参与者可以绕过能力授权。参与者通常需要声明其入站调用的功能,但是有了这个漏洞,参与者的功能声明不会在接收调用时进行验证。这损害了参与者的安全模型,因为他们可以从链接的功能提供者接收未经授权的调用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| wasmCloud | wasmcloud-otp | < 0.52.2 | - |
II. Public POCs for CVE-2022-21707
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-21707
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-863
- CVE-2026-42571
Privilege Escalation Attack affecting Pelican Web UI - CVE-2025-15633
HCL BigFix WebUI is affected by an improper authorization vu - CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2025-66170
Apache CloudStack: Any user can list backups that they shoul - CVE-2026-41903
FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifyi
V. Comments for CVE-2022-21707
No comments yet