CVE-2022-38817
published 2022-10-03CVE-2022-38817: Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.94%
85.4th percentile
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | dapr_dashboard | 0.1.0 – 0.10.0 | — |
| github.com | dapr_dashboard | >= 0.1.0 | — |
| linuxfoundation | dapr_dashboard | 0.1.0 – 0.10.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/components/statestore
url/overview
url/controlplane
otherhttp.title:"Dapr Dashboard"
othertitle="dapr dashboard"
otherintitle:"dapr dashboard"
- →Unauthenticated GET requests to /components/statestore, /overview, or /controlplane returning HTTP 200 with 'Dapr Dashboard' in the response body indicate a vulnerable, publicly exposed Dapr Dashboard instance.
- →Use stop-at-first-match logic: probe the three unauthenticated endpoints sequentially; a 200 response containing 'Dapr Dashboard' confirms improper access control (CWE-306 — missing authentication).
- →Shodan dork 'http.title:"Dapr Dashboard"' or 'http.title:"dapr dashboard"' can be used to identify internet-exposed instances for mass-scanning detection.
- ·Affected version range is Dapr Dashboard 0.1.0 through 0.10.0 inclusive; versions outside this range are not considered vulnerable. ↗
- ·The vulnerability requires no authentication (PR:N, UI:N per CVSS), meaning any network-reachable instance is exploitable without credentials.
- ·EPSS score of 0.77272 (98.977th percentile) indicates very high real-world exploitation probability; prioritise detection and patching accordingly.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dapr Dashboard vulnerable to Incorrect Access Control in github.com/dapr/dashboard
osv·2024-08-21
CVE-2022-38817 Dapr Dashboard vulnerable to Incorrect Access Control in github.com/dapr/dashboard
Dapr Dashboard vulnerable to Incorrect Access Control in github.com/dapr/dashboard
Dapr Dashboard vulnerable to Incorrect Access Control in github.com/dapr/dashboard
GHSA
Dapr Dashboard vulnerable to Incorrect Access Control
ghsa·2022-10-04
CVE-2022-38817 [HIGH] CWE-306 Dapr Dashboard vulnerable to Incorrect Access Control
Dapr Dashboard vulnerable to Incorrect Access Control
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
OSV
Dapr Dashboard vulnerable to Incorrect Access Control
osv·2022-10-04
CVE-2022-38817 [HIGH] Dapr Dashboard vulnerable to Incorrect Access Control
Dapr Dashboard vulnerable to Incorrect Access Control
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
No detection rules found.
Nuclei
Dapr Dashboard 0.1.0-0.10.0 - Improper Access Control
nuclei·CVSS 7.5
CVE-2022-38817 [HIGH] Dapr Dashboard 0.1.0-0.10.0 - Improper Access Control
Dapr Dashboard 0.1.0-0.10.0 - Improper Access Control
Dapr Dashboard 0.1.0 through 0.10.0 is susceptible to improper access control. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2022-38817
info:
name: Dapr Dashboard 0.1.0-0.10.0 - Improper Access Control
author: For3stCo1d
severity: high
description: |
Dapr Dashboard 0.1.0 through 0.10.0 is susceptible to improper access control. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
impact: |
The vulnerability allows unauthorized access to the Dapr Dashboard, potentially leading to unauthorized actions and data exposure.
remediation: |
Upgrade Dapr Dashboard to a version that includes the fix for CVE-20
No writeups or analysis indexed.
2022-10-03
Published