Dapr Access Control Bypass Vulnerability in Service Invocation

A vulnerability exists in Dapr versions 1.3.0 prior to 1.15.14, 1.16.0-rc.1 prior to 1.16.14, and 1.17.0-rc.1 prior to 1.17.5. This vulnerability allows for bypassing access control policies in service invocation by using reserved URL characters and path traversal sequences in method paths. The issue arises because the access control layer (ACL) normalizes method paths separately from the dispatch layer, leading to a mismatch where the ACL evaluates one path while the target application receives another. For instance, a method path containing encoded traversal sequences could be normalized to an allowed path, while the application would still receive the original denied path.

Impact

Exploitation of this vulnerability allows an attacker to bypass access control policies for service invocation. This could be done by manipulating method paths with encoded path traversal sequences to access restricted areas, or by using reserved URL characters to trick the ACL into evaluating a different path than what was actually delivered to the application. The gRPC API is particularly vulnerable, as it passes method strings without any client-side sanitization, allowing for direct manipulation of the invocation paths.

Remediation

Users are advised to upgrade to Dapr versions 1.17.5, 1.16.14, or 1.15.14.