Cross-Site Request Forgery Flaw in etcd Server by CoreOS
CVE-2018-1098

8.8HIGH

Key Information:

Vendor
Red Hat
Status
Etcd
Vendor
CVE Published:
3 April 2018

Summary

A cross-site request forgery vulnerability exists in the etcd server versions 3.3.1 and earlier, allowing attackers to craft malicious web forms that can send POST requests to the etcd server. This could lead to unauthorized modifications of keys within etcd, despite the PUT method being considered safer. The flaw enables attackers to create in-order keys using POST requests, which could compromise the integrity of the etcd data.

Affected Version(s)

etcd 3.3.1 and earlier

References

https://bugzilla.redhat.com/show_bug.cgi?id=1552714
x_refsource_CONFIRM
https://github.com/coreos/etcd/issues/9353
x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.