DAP-01-010 WP2: Invocation of out-of-scope topic handlers of PubSub (Info) DAP-01-012 WP2: Missing authentication from Dapr API to application (Medium) Miscellaneous Issues DAP-01-001 WP1: Sidecar allows MDNS attention is dedicated to finding logical flaws and deep-seated issues. With a shift in methods, WP2 encompassed penetration tests against Dapr integration and setup. The Cure53 team relied on insights into State Encapsulation, MitM attacks on Service Invocation, DoS attack mitigations, API Authentication and Pub/Sub scoping. Since Dapr is available as open source software, the adopted methodology

controller no longer allows retrieving sensitive client certificates and now properly enforces authentication for the ‘mutate’ endpoint. This issue has been fixed as part of pull request 18191. DAP-01-008 out-of-scope during the first test. Thus, it was not covered by the retest. DAP-01-012 WP2: Missing authentication from Dapr API to application (Medium) Status: Fixed The endpoint of the deployed test led to several bypasses, which make it possible for the potential attackers to invoke arbitrary methods on applications, even though the configured access policies should deny such handling. Affected

com/dapr/dapr/pkg/actors.Actors interface. The fuzzer initiates a new actorsRuntime and calls the following methods in pseudo-random order using pseudo-random values for each call: 1. Call() 2. GetState() 3. Tra For this step the fuzzer uses raw bytes by the fuzzer. It then proceeds to invoke the ciphers two methods, Seal() and Open() using pseudo-random data by the fuzzer for both method calls. 13: FuzzParseEnvString

from untrusted sources: 1. Daprs external AppChannel 2. Daprs local AppChannel The vulnerable methods limit the size of a response from a user application, however, an attacker can trigger an OOM panic