Your submission was sent successfully! Close

CVE-2020-15113

Published: 5 August 2020

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).

Priority

Medium

CVSS 3 base score: 7.1

Status

Package Release Status
etcd
Launchpad, Ubuntu, Debian
bionic Needed

focal
Released (3.2.26+dfsg-6ubuntu0.1)
groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needed

precise Does not exist

trusty Does not exist

upstream
Released (3.3.23, 3.4.10)
xenial Ignored
(end of standard support, was needed)
Patches:
upstream: https://github.com/etcd-io/etcd/commit/ac37d3499e965946bd39ee7260a27a0a3e796b14 (3.3.23)