CVE-2023-3485 : What You Need to Know

This CVE record pertains to an insecure default authorization vulnerability found in the open-source Temporal Server before version 1.20, impacting all platforms. The vulnerability allows an attacker to manipulate a task token to gain access to a namespace different from the one specified in the request, potentially enabling interference with tasks in other namespaces.

Understanding CVE-2023-3485

This section delves into the specifics of CVE-2023-3485, shedding light on the vulnerability and its implications.

What is CVE-2023-3485?

The vulnerability in the open-source Temporal Server before version 1.20 enables attackers to create a task token outside the regular server flow, granting access to a different namespace than requested. By leveraging this access, attackers can potentially disrupt tasks in other namespaces, such as marking tasks as failed or completed.

The Impact of CVE-2023-3485

The impact of CVE-2023-3485 is classified under CAPEC-114, focusing on Authentication Abuse. This vulnerability can lead to unauthorized access to namespaces, potentially resulting in the manipulation and interference of tasks.

Technical Details of CVE-2023-3485

This section provides detailed technical information regarding CVE-2023-3485, including the vulnerability description, affected systems and versions, as well as the exploitation mechanism.

Vulnerability Description

The insecure defaults in the open-source Temporal Server allow attackers to craft a task token that provides unauthorized access to namespaces, facilitating interference with tasks in those namespaces.

Affected Systems and Versions

The vulnerability affects Temporal Server versions before 1.20, across all platforms. Specifically, version 1.9.1 and below are susceptible to this insecure default authorization issue.

Exploitation Mechanism

To exploit CVE-2023-3485, attackers must create a task token outside the normal Temporal server flow, requiring the namespace UUID and information from the workflow history for the target namespace. By meeting these conditions, attackers can interfere with tasks in other namespaces.

Mitigation and Prevention

In this section, we explore the measures that can be taken to mitigate and prevent the exploitation of CVE-2023-3485.

Immediate Steps to Take

Set

frontend.enableTokenNamespaceEnforcement

to

true

in the Temporal Server configuration.
Upgrade to version 1.20 or above, where this security enhancement is the default setting.

Long-Term Security Practices

Implement robust authorization mechanisms and regularly review and update access control configurations to prevent unauthorized access to namespaces and tasks.

Patching and Updates

Ensure timely application of patches and updates provided by Temporal Technologies Inc. to address the insecure default authorization vulnerability in Temporal Server. The security update to version 1.20 or higher is crucial to mitigate the risks associated with CVE-2023-3485.