CVE-2018-1099
Published: 3 April 2018
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
Notes
| Author | Note |
|---|---|
| msalvatore | Waiting for upstream to backport fix to 3.2 branch. See https://github.com/etcd-io/etcd/issues/10479 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
etcd Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Needed
|
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Needed
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needed
|
|
| kinetic |
Ignored
(end of life, was needed)
|
|
| lunar |
Ignored
(end of life, was needed)
|
|
| mantic |
Needed
|
|
| trusty |
Does not exist
|
|
| upstream |
Needed
|
|
| xenial |
Needed
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |