Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-32082

Опубликовано: 11 мая 2023
Источник: redhat
CVSS3: 3.1

Описание

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

A flaw was found in etcd. Affected versions of etcd allow a remote, authenticated attacker to use the LeaseTimeToLive API to obtain sensitive information.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7etcdOut of support scope
Red Hat Enterprise Linux 7etcd3Out of support scope
Red Hat OpenShift Container Platform 4openshift4/ose-etcd-rhel9Affected
Red Hat OpenStack Platform 16.1etcdFix deferred
Red Hat OpenStack Platform 16.2etcdFix deferred
Red Hat Storage 3etcdAffected
Red Hat OpenStack Platform 17.0etcdFixedRHSA-2023:344105.06.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2208131etcd: Key name can be accessed via LeaseTimeToLive API

3.1 Low

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-32082

CVSS3: 3.1
ubuntu
больше 2 лет назад

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

nvd логотип

CVE-2023-32082

CVSS3: 3.1
nvd
больше 2 лет назад

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

msrc логотип

CVE-2023-32082

CVSS3: 4.3
msrc
больше 2 лет назад

etcd key name can be accessed via LeaseTimeToLive API

debian логотип

CVE-2023-32082

CVSS3: 3.1
debian
больше 2 лет назад

etcd is a distributed key-value store for the data of a distributed sy ...

github логотип

GHSA-3p4g-rcw5-8298

CVSS3: 3.1
github
больше 2 лет назад

etcd Key name can be accessed via LeaseTimeToLive API

3.1 Low

CVSS3