to RCE (High) DAP-01-003 WP1: HTTP Parameter Pollution through invocation (Low) DAP-01-004 WP1: Sidecar injector API exposes sensitive client certificates (High) DAP-01-005 WP2: Inadequate separation leads to cluster takeover (Critical) DAP-01-006 WP2: Cross-Site Request Forgery into local Dapr sidecar (Medium) DAP-01-008 WP2: Dapr allows extraction of Kubernetes secrets by default (High) DAP-01-010 Missing authentication from Dapr API to application (Medium) Miscellaneous Issues DAP-01-001 WP1: Sidecar allows MDNS probes to docker network (Info) DAP-01-007 WP2: HTTP Parameter Pollution in Azure SignalR

a component that is not enabled by default. The vulnerability had the potential to crash a Dapr sidecar with an out-of-memory denial of service attack vector. We found the vulnerability a�er performing Kubernetes, Dapr is deployed as a sidecar container in the same pod as the userʼs application. When running Dapr on a virtual machine, Dapr runs as a separate sidecar process. In both cases, the application through HTTP or gRPC calls: If the user has multiple applications running with Dapr, each has a sidecar next to it: Dapr comes with a set of built-in components - a form of cloud-native primitives - that

Edge Sidecar architecture Sidecar architecture Standard APIs accessed over http/gRPC protocols from user service code e.g. http://localhost:3500/v1.0/state/inventory Runs as local “sidecar library” Actors Distributed tracing Extensible HTTP API gRPC API Application code Dapr self-hosted Sidecar architecture State stores Publish and subscribe Resource bindings Scanning for events Application save state Service code B Service code A Input/output 1 Components Dapr Kubernetes-hosted Sidecar architecture Component management Deploys and manages Dapr Any cloud or edge infrastructure Publish

Blocks Developer first, standard APIs used from any programming language or framework Sidecar Architecture Sidecar architecture Standard APIs accessed over http/gRPC protocols from user service code e save state Service code B Service code A Pod C O N T A I N E R Service code C O N T A I N E R Sidecar Dapr Kubernetes-hosted Publish and subscribe Components Component management State stores changes to runtime Injects Dapr runtime Updates actor partition placement Pod C O N T A I N E R Sidecar Injector Pod C O N T A I N E R Operator Pod C O N T A I N E R Placement Microservice Building

Bielefelder Str. 14 D 10709 Berlin cure53.de · mario@cure53.de DAP-01-004 WP1: Sidecar injector API exposes sensitive client certificates (High) Status: Fixed The side-injector admission flaws have not been addressed accordingly, while one received adequate attention. DAP-01-001 WP1: Sidecar allows MDNS probes to docker network (Info) Status: Open The referred code was refactored and renamed from servicediscovery to nameresolution in pull request 17136. However, access to the Dapr sidecar still eventually gives attackers the ability to resolve docker MDNS network addresses, permitting

FuzzAescbcaead github.com/dapr/kit/crypto/aescbcaead 13 FuzzParseEnvString github.com/dapr/dapr/pkg/injector/sidecar 14 FuzzIsOperationAllowedByAccessCo ntrolPolicy github.com/dapr/dapr/pkg/acl 15 FuzzIsEndpointAllowed