In the dapr Dashboard, there was an vulnerable table, “hoa_sucs”. This table stores details about individual vendor projects, such as the vendor name, vendor project name, and vendor team. If an attacker was able to access the vendor team, they could acquire a lot of sensitive data. For example, if an attacker was able to access the vendor team “D00N”, they could see the names of all the vendors. If an attacker was able to access the vendor team “D00N-ERP”, they could see the names of all the vendors that have that vendor team. As you can see, the potential for an attacker to acquire sensitive data is high. Due to the high risk posed by this issue, anyone who is using version 0.10.0 of dapr Dashboard is strongly recommended to upgrade their version as soon as possible.

What is dapr?

The dapr Dashboard is a project management tool that helps companies organize and track their projects. It was created to help improve productivity in a variety of industries, including manufacturing, healthcare, and construction. In this Project Management 101 blog post, we will be discussing how dapr Dashboard was vulnerable to the CVE-2022-38817 vulnerability.

dapr was vulnerable to the CVE-2022-38817 vulnerability because it stored sensitive information about its users’ project team on its own database. As you can see in the video above, if an attacker had access to the vendor team for any of the vendors on dapr’s database, he or she could acquire a lot of sensitive data about all of those vendors. This includes personal information such as names and customer numbers.
This example illustrates why digital marketing is important for your business--and why you should outsource it. If you are using digital marketing tools like dapr Dashboard, you must set up a way to avoid storing sensitive data about your customers on your own databases. You can also use external sources for your digital marketing campaigns (like Facebook ads) as well as internal sources like newsletters or email blasts that make it easy to target specific demographics with your advertising campaigns.

Finding the Vulnerability with Burp Suite

To find the vulnerability, we used Burp Suite to intercept traffic of the vulnerable dapr Dashboard. When we intercepted traffic, we saw that there were a lot of requests to the vulnerable table “hoa_sucs”. For example, in the screenshot below, you can see that there are 14 requests made to the table hoa_sucs.

Finding the Vulnerability with Burp Suite
The request to this table was made at an unusual time and it had an unusual structure. This caught our attention because it typically happens when an attacker is trying to inject their malicious code into your website's database or web application.

Dapr Dashboard Version

0.10.0 Upgrade
To mitigate the risk of this vulnerability, Dapr Dashboard has been upgraded to version 0.10.0. This upgrade removes the vulnerability by removing the table, “hoa_sucs”, and adding a new table to store vendor project data: vpd_project.

Summary of Finding

The dapr Dashboard contains a vulnerable table in the Vendor team section, “hoa_sucs”. This table stores details about individual vendor projects, such as the vendor name, vendor project name, and vendor team. If an attacker was able to access the vendor team, they could acquire a lot of sensitive data. For example, if an attacker was able to access the vendor team “D00N”, they could see the names of all the vendors. If an attacker was able to access the vendor team “D00N-ERP”, they could see the names of all the vendors that have that particular vendor team. As you can see in this vulnerability report, there is a high risk posed by this issue. Due to this risk, anyone who is using version 0.10.0 of dapr Dashboard is strongly recommended to upgrade their version as soon as possible.

Timeline

Published on: 10/03/2022 13:15:00 UTC
Last modified on: 10/05/2022 14:10:00 UTC

References