Improper authentication in etcd
CVE-2020-15136

6.5MEDIUM

Key Information:

Vendor

Etcd-io

Status
Etcd
Vendor
CVE Published:
6 August 2020

What is CVE-2020-15136?

In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.

Affected Version(s)

etcd >= 3.4.0, < 3.4.10 < 3.4.0, 3.4.10

etcd < 3.3.23 < 3.3.23

References

https://github.com/etcd-io/etcd/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/etcd-io/etcd/blob/master/Documentation...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.