Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-32082

Опубликовано: 11 мая 2023
Источник: redhat
CVSS3: 3.1
EPSS Низкий

Описание

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

A flaw was found in etcd. Affected versions of etcd allow a remote, authenticated attacker to use the LeaseTimeToLive API to obtain sensitive information.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7etcdOut of support scope
Red Hat Enterprise Linux 7etcd3Out of support scope
Red Hat OpenShift Container Platform 4openshift4/ose-etcdAffected
Red Hat OpenStack Platform 16.1etcdFix deferred
Red Hat OpenStack Platform 16.2etcdFix deferred
Red Hat Storage 3etcdAffected
Red Hat OpenStack Platform 17.0etcdFixedRHSA-2023:344105.06.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2208131etcd: Key name can be accessed via LeaseTimeToLive API

EPSS

Процентиль: 45%
0.00222
Низкий

3.1 Low

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-32082

CVSS3: 3.1
ubuntu
около 2 лет назад

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

nvd логотип

CVE-2023-32082

CVSS3: 3.1
nvd
около 2 лет назад

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

debian логотип

CVE-2023-32082

CVSS3: 3.1
debian
около 2 лет назад

etcd is a distributed key-value store for the data of a distributed sy ...

redos логотип

ROS-20250203-02

CVSS3: 4.3
redos
5 месяцев назад

Уязвимость etcd

github логотип

GHSA-3p4g-rcw5-8298

CVSS3: 3.1
github
около 2 лет назад

etcd Key name can be accessed via LeaseTimeToLive API

EPSS

Процентиль: 45%
0.00222
Низкий

3.1 Low

CVSS3