Headline
GHSA-3p4g-rcw5-8298: etcd Key name can be accessed via LeaseTimeToLive API
Impact
LeaseTimeToLive API allows access to key names (not value) associated to a lease when Keys
parameter is true, even a user doesn’t have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC).
Patches
< v3.4.26 and < v3.5.9 are affected.
Workarounds
No.
Reporter
Yoni Rozenshein
etcd Key name can be accessed via LeaseTimeToLive API
Low severity GitHub Reviewed Published May 11, 2023 in etcd-io/etcd • Updated May 12, 2023
Related news
Red Hat Security Advisory 2023-3441-01 - An update for etcd is now available for Red Hat OpenStack Platform 17.0 (Wallaby).
An update for etcd is now available for Red Hat OpenStack Platform 17.0 (Wallaby). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-28235: A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges. * CVE-2023-32082: A flaw was found in etcd. Affected versions of etcd allow a remote, authent...
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.