Search criteria
5 vulnerabilities
CVE-2025-8396 (GCVE-0-2025-8396)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:13 – Updated: 2025-09-15 14:52
VLAI?
Summary
Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). Temporal Cloud services are not impacted.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Temporal | OSS Server |
Affected:
0 , < 1.26.3
(semver)
Affected: 1.27.0 , < 1.27.3 (semver) Affected: 1.28.0 , < 1.28.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T14:51:41.610605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:52:27.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/temporalio/temporal",
"defaultStatus": "unaffected",
"modules": [
"default claim mapper"
],
"packageName": "temporal",
"platforms": [
"Linux",
"Windows",
"MacOS"
],
"product": "OSS Server",
"programFiles": [
"default_jwt_claim_mapper.go"
],
"repo": "https://github.com/temporalio/temporal",
"vendor": "Temporal",
"versions": [
{
"lessThan": "1.26.3",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.27.3",
"status": "affected",
"version": "1.27.0",
"versionType": "semver"
},
{
"lessThan": "1.28.1",
"status": "affected",
"version": "1.28.0",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Using the default claim mapper, with an OSS Temporal server accessible from untrusted clients (i.e. the open internet)."
}
],
"value": "Using the default claim mapper, with an OSS Temporal server accessible from untrusted clients (i.e. the open internet)."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.\u003cp\u003eThis issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). \u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eTemporal Cloud services are not impacted.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation.This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). Temporal Cloud services are not impacted."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T14:13:26.507Z",
"orgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"shortName": "Temporal"
},
"references": [
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.26.3"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.27.3"
},
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.28.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to a fixed release: \u003ccode\u003ev1.26.3\u003c/code\u003e, \u003ccode\u003ev1.27.3\u003c/code\u003e, \u003ccode\u003ev1.28.1\u003c/code\u003e or later (latest recommended)."
}
],
"value": "Upgrade to a fixed release: v1.26.3, v1.27.3, v1.28.1 or later (latest recommended)."
}
],
"source": {
"discovery": "INTERNAL"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use mTLS, or bring your own claim mapper."
}
],
"value": "Use mTLS, or bring your own claim mapper."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"assignerShortName": "Temporal",
"cveId": "CVE-2025-8396",
"datePublished": "2025-09-15T14:13:26.507Z",
"dateReserved": "2025-07-30T20:55:26.996Z",
"dateUpdated": "2025-09-15T14:52:27.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1243 (GCVE-0-2025-1243)
Vulnerability from cvelistv5 – Published: 2025-02-12 00:09 – Updated: 2025-02-12 15:29
VLAI?
Summary
The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response` field not having Data Converter transformations (e.g. encryption) applied. This is an issue only when using the UpdateWorkflowExecution APIs (released on 13th January 2025) with a proxy leveraging the api-go library before version 1.44.1.
Other data fields were correctly sent to Data Converter. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not impacted.
Severity ?
CWE
- CWE-311 - Missing Encryption of Sensitive Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Temporal Technologies, Inc. | api-go library |
Affected:
0 , < 1.44.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1243",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T15:29:39.719088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:29:47.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "api-go",
"product": "api-go library",
"repo": "https://github.com/temporalio/api-go/",
"vendor": "Temporal Technologies, Inc.",
"versions": [
{
"lessThan": "1.44.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in\u0026nbsp;information contained within the `update response` field not having Data Converter transformations (e.g. encryption) applied. This is an issue only when using the UpdateWorkflowExecution APIs (released on 13th January 2025) with a proxy leveraging the api-go library before version 1.44.1.\u003cbr\u003e\u003cbr\u003eOther data fields were correctly sent to Data Converter. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not impacted."
}
],
"value": "The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in\u00a0information contained within the `update response` field not having Data Converter transformations (e.g. encryption) applied. This is an issue only when using the UpdateWorkflowExecution APIs (released on 13th January 2025) with a proxy leveraging the api-go library before version 1.44.1.\n\nOther data fields were correctly sent to Data Converter. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not impacted."
}
],
"impacts": [
{
"capecId": "CAPEC-204",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-204 Lifting Sensitive Data Embedded in Cache"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311 Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T00:09:59.647Z",
"orgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"shortName": "Temporal"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/temporalio/api-go/releases/tag/v1.44.1"
},
{
"tags": [
"related"
],
"url": "https://temporal.io/blog/announcing-a-new-operation-workflow-update"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade proxy servers leveraging the `api-go` library in your environment to use version 1.44.1 or later of the library."
}
],
"value": "Upgrade proxy servers leveraging the `api-go` library in your environment to use version 1.44.1 or later of the library."
}
],
"source": {
"discovery": "USER"
},
"title": "Field in api-go proxy not transformed before version 1.44.1",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"assignerShortName": "Temporal",
"cveId": "CVE-2025-1243",
"datePublished": "2025-02-12T00:09:59.647Z",
"dateReserved": "2025-02-11T23:55:49.028Z",
"dateUpdated": "2025-02-12T15:29:47.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2689 (GCVE-0-2024-2689)
Vulnerability from cvelistv5 – Published: 2024-04-03 21:13 – Updated: 2025-08-27 21:02
VLAI?
Summary
Denial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to interact with workflows and has crafted an invalid UTF-8 string for submission to potentially cause a crashloop. If left unchecked, the task containing the invalid UTF-8 will become stuck in the queue, causing an increase in queue lag. Eventually, all processes handling these queues will become stuck and the system will run out of resources. The workflow ID of the failing task will be visible in the logs, and can be used to remove that workflow as a mitigation. Version 1.23 is not impacted. In this context, a user is an operator of Temporal Server.
Severity ?
4.4 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Temporal Technologies, Inc. | Temporal Server |
Affected:
0 , < 1.20.5
(semver)
Affected: 1.21.0 , < 1.21.6 (semver) Affected: 1.22.0 , < 1.22.7 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-2689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-04T16:14:17.842942Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T21:02:57.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:48.248Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://github.com/temporalio/temporal/releases"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://hub.docker.com/r/temporalio/server",
"defaultStatus": "unaffected",
"packageName": "temporalio/server",
"product": "Temporal Server",
"repo": "https://github.com/temporalio/temporal",
"vendor": "Temporal Technologies, Inc.",
"versions": [
{
"lessThan": "1.20.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.21.6",
"status": "affected",
"version": "1.21.0",
"versionType": "semver"
},
{
"lessThan": "1.22.7",
"status": "affected",
"version": "1.22.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eDenial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to interact with workflows and has crafted an invalid UTF-8 string for submission to potentially cause a crashloop. If left unchecked, the task containing the invalid UTF-8 will become stuck in the queue, causing an increase in queue lag. Eventually, all processes handling these queues will become stuck and the system will run out of resources. The workflow ID of the failing task will be visible in the logs, and can be used to remove that workflow as a mitigation. Version 1.23 is not impacted.\u0026nbsp;In this context, a user is an operator of Temporal Server.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Denial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to interact with workflows and has crafted an invalid UTF-8 string for submission to potentially cause a crashloop. If left unchecked, the task containing the invalid UTF-8 will become stuck in the queue, causing an increase in queue lag. Eventually, all processes handling these queues will become stuck and the system will run out of resources. The workflow ID of the failing task will be visible in the logs, and can be used to remove that workflow as a mitigation. Version 1.23 is not impacted.\u00a0In this context, a user is an operator of Temporal Server.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-03T21:13:31.599Z",
"orgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"shortName": "Temporal"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/temporalio/temporal/releases"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of Service if invalid UTF-8 sent",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"assignerShortName": "Temporal",
"cveId": "CVE-2024-2689",
"datePublished": "2024-04-03T21:13:31.599Z",
"dateReserved": "2024-03-19T20:18:51.036Z",
"dateUpdated": "2025-08-27T21:02:57.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2435 (GCVE-0-2024-2435)
Vulnerability from cvelistv5 – Published: 2024-04-02 16:40 – Updated: 2024-08-01 19:11
VLAI?
Summary
For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.
Access to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Temporal OSS | ui-server |
Affected:
2.16.2 , < 2.25.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T18:46:48.461273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:46.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://github.com/temporalio/ui-server/releases/tag/v2.25.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://hub.docker.com/r/temporalio/ui",
"defaultStatus": "unaffected",
"modules": [
"Timeline view"
],
"packageName": "temporalio/ui",
"product": "ui-server",
"repo": "https://github.com/temporalio/ui-server",
"vendor": "Temporal OSS",
"versions": [
{
"lessThan": "2.25.0",
"status": "affected",
"version": "2.16.2",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.\u003cbr\u003eAccess to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).\u003cbr\u003e"
}
],
"value": "For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.\nAccess to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-02T16:40:24.552Z",
"orgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"shortName": "Temporal"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/temporalio/ui-server/releases/tag/v2.25.0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS in Timeline View",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"assignerShortName": "Temporal",
"cveId": "CVE-2024-2435",
"datePublished": "2024-04-02T16:40:24.552Z",
"dateReserved": "2024-03-13T17:29:42.211Z",
"dateUpdated": "2024-08-01T19:11:53.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3485 (GCVE-0-2023-3485)
Vulnerability from cvelistv5 – Published: 2023-06-30 17:37 – Updated: 2024-10-28 13:05
VLAI?
Summary
Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed.
If a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Temporal Technologies Inc. | Temporal Server |
Affected:
1.9.1 , < 1.20
(semver)
|
Credits
Jacob LeGrone
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.341Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/temporalio/temporal/releases/tag/v1.20.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T13:04:57.081536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T13:05:11.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/temporalio",
"defaultStatus": "unaffected",
"packageName": "temporal",
"product": "Temporal Server",
"programFiles": [
"https://github.com/temporalio/temporal/blob/master/service/frontend/service.go"
],
"repo": "https://github.com/temporalio/temporal",
"vendor": "Temporal Technologies Inc.",
"versions": [
{
"lessThan": "1.20",
"status": "affected",
"version": "1.9.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jacob LeGrone"
}
],
"datePublic": "2023-07-03T15:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed.\u003cbr\u003eIf a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed.\nIf a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization3 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188 Insecure Default Initialization of Resource Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-30T17:38:22.233Z",
"orgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"shortName": "Temporal"
},
"references": [
{
"url": "https://github.com/temporalio/temporal/releases/tag/v1.20.0"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eSet \u0026nbsp;\u003c/span\u003e\u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/temporalio/temporal/pull/3798\"\u003efrontend.enableTokenNamespaceEnforcement\u003c/a\u003e\u0026nbsp;\u003c/code\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eto \u003c/span\u003e\u003ctt\u003etrue\u003c/tt\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp; \u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUpgrade to version 1.20 or above, where this is the default\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": " * Set \u00a0 frontend.enableTokenNamespaceEnforcement https://github.com/temporalio/temporal/pull/3798 \u00a0to true\u00a0 \n * Upgrade to version 1.20 or above, where this is the default\n\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Default Authorization in Temporal Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968",
"assignerShortName": "Temporal",
"cveId": "CVE-2023-3485",
"datePublished": "2023-06-30T17:37:57.772Z",
"dateReserved": "2023-06-30T17:29:17.808Z",
"dateUpdated": "2024-10-28T13:05:11.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}