cbcvebase.
CVE-2022-38817
published 2022-10-03

CVE-2022-38817: Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.

PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.94%
85.4th percentile
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comdapr_dashboard0.1.0 – 0.10.0
github.comdapr_dashboard>= 0.1.0
linuxfoundationdapr_dashboard0.1.0 – 0.10.0

Detection & IOCsextracted from sources · hover to see the quote

url/components/statestore
url/overview
url/controlplane
otherhttp.title:"Dapr Dashboard"
othertitle="dapr dashboard"
otherintitle:"dapr dashboard"
  • Unauthenticated GET requests to /components/statestore, /overview, or /controlplane returning HTTP 200 with 'Dapr Dashboard' in the response body indicate a vulnerable, publicly exposed Dapr Dashboard instance.
  • Use stop-at-first-match logic: probe the three unauthenticated endpoints sequentially; a 200 response containing 'Dapr Dashboard' confirms improper access control (CWE-306 — missing authentication).
  • Shodan dork 'http.title:"Dapr Dashboard"' or 'http.title:"dapr dashboard"' can be used to identify internet-exposed instances for mass-scanning detection.
  • ·Affected version range is Dapr Dashboard 0.1.0 through 0.10.0 inclusive; versions outside this range are not considered vulnerable.
  • ·The vulnerability requires no authentication (PR:N, UI:N per CVSS), meaning any network-reachable instance is exploitable without credentials.
  • ·EPSS score of 0.77272 (98.977th percentile) indicates very high real-world exploitation probability; prioritise detection and patching accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.