Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-h6xx-pmxh-3wgp

Опубликовано: 12 апр. 2022
Источник: github
Github: Прошло ревью
CVSS3: 8.1

Описание

go.etcd.io/etcd Authentication Bypass

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

Ссылки

Пакеты

Наименование

go.etcd.io/etcd/v3

go
Затронутые версииВерсия исправления

>= 3.2.0, < 3.2.26

3.2.26

Наименование

go.etcd.io/etcd/v3

go
Затронутые версииВерсия исправления

>= 3.3.0, < 3.3.11

3.3.11

Наименование

go.etcd.io/etcd

go
Затронутые версииВерсия исправления

< 0.5.0-alpha.5.0.20190108173120-83c051b701d3

0.5.0-alpha.5.0.20190108173120-83c051b701d3

EPSS

Процентиль: 73%
0.00757
Низкий

8.1 High

CVSS3

CVE ID

CVE-2018-16886

Дефекты

CWE-285
CWE-287

Связанные уязвимости

ubuntu логотип

CVE-2018-16886

CVSS3: 8.1
ubuntu
около 7 лет назад

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

redhat логотип

CVE-2018-16886

CVSS3: 6.8
redhat
около 7 лет назад

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

nvd логотип

CVE-2018-16886

CVSS3: 8.1
nvd
около 7 лет назад

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

debian логотип

CVE-2018-16886

CVSS3: 8.1
debian
около 7 лет назад

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerab ...

fstec логотип

BDU:2019-02944

CVSS3: 8.1
fstec
около 7 лет назад

Уязвимость реализации функции контроля доступа на основе ролей Role Based Access Control (RBAC) хранилища параметров конфигурации Etcd, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 73%
0.00757
Низкий

8.1 High

CVSS3

CVE ID

CVE-2018-16886

Дефекты

CWE-285
CWE-287