You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, daprd is exposing the public port which exposes the healthz and metadata endpoints. This is exposed publicly on the network. This server has no authentication and is serving requests in plaintext.
The metadata endpoint returns information like actors, subscriptions, components etc.
This represents a massive privacy exposure. This port must be disabled on any multi-tenant deployment of Dapr, however this is not documented anywhere and the daprd logs don't explain that this is happening either. Users are currently exposing this information without knowledge.
We should update this API server to use mTLS based on the dapr identity certificate, and provide an allow list of identities which can connect to this endpoint to authorize it consumption. This is a breaking change, however the current behaviour is not appropriate and should be considered a security vulnerability.
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had activity in the last 60 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 67 days. If this issue is still valid, please ping a maintainer and ask them to label it as pinned, good first issue, help wanted or triaged/resolved. Thank you for your contributions.
Currently, daprd is exposing the public port which exposes the healthz and metadata endpoints. This is exposed publicly on the network. This server has no authentication and is serving requests in plaintext.
The metadata endpoint returns information like actors, subscriptions, components etc.
This represents a massive privacy exposure. This port must be disabled on any multi-tenant deployment of Dapr, however this is not documented anywhere and the daprd logs don't explain that this is happening either. Users are currently exposing this information without knowledge.
We should update this API server to use mTLS based on the dapr identity certificate, and provide an allow list of identities which can connect to this endpoint to authorize it consumption. This is a breaking change, however the current behaviour is not appropriate and should be considered a security vulnerability.
The text was updated successfully, but these errors were encountered: