CVE-2023-32082
Published: 11 May 2023
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.
Priority
Status
Package | Release | Status |
---|---|---|
etcd Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Needs triage
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References
- https://github.com/etcd-io/etcd/security/advisories/GHSA-3p4g-rcw5-8298
- https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md
- https://github.com/etcd-io/etcd/pull/15656
- https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.4.md
- https://www.cve.org/CVERecord?id=CVE-2023-32082
- NVD
- Launchpad
- Debian