Cross-Site Request Forgery Flaw in etcd Server by CoreOS
CVE-2018-1098

8.8HIGH

Key Information:

Vendor: Red Hat
Status: Etcd
Vendor: CVE Published:; 3 April 2018

What is CVE-2018-1098?

A cross-site request forgery vulnerability exists in the etcd server versions 3.3.1 and earlier, allowing attackers to craft malicious web forms that can send POST requests to the etcd server. This could lead to unauthorized modifications of keys within etcd, despite the PUT method being considered safer. The flaw enables attackers to create in-order keys using POST requests, which could compromise the integrity of the etcd data.

Affected Version(s)

etcd 3.3.1 and earlier

References

https://bugzilla.redhat.com/show_bug.cgi?id=1552714

x_refsource_CONFIRM

https://github.com/coreos/etcd/issues/9353

x_refsource_CONFIRM

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2018
Vulnerability Reserved
Dec 4, 2017

Red Hat

What is CVE-2018-1098?

Affected Version(s)

References

CVSS V3.1

Timeline