SB2020081020 - Multiple vulnerabilities in etcd
Published: August 10, 2020 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 vulnerabilities.
1) Weak password requirements (CVE-ID: CVE-2020-15115)
CWE-ID: CWE-521 - Weak Password Requirements
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker to perform brute-force attack and guess the password.
The vulnerability exists due to weak password requirements in etcd. An attacker can perform a brute-force attack and guess users' passwords.
2) Resource management error (CVE-ID: CVE-2020-15106)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources with the application, as a large slice causes panic in decodeRecord method. A remote attacker can forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
3) Improper Preservation of Permissions (CVE-ID: CVE-2020-15113)
CWE-ID: CWE-281 - Improper preservation of permissions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software improperly sets permissions to certain directory paths in case they were previously created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients). A local user can gain unauthorized access to sensitive information on the system.
4) Resource management error (CVE-ID: CVE-2020-15112)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources with the application, as it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.
5) Resource exhaustion (CVE-ID: CVE-2020-15114)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote authenticated user can include the gateway address as an endpoint, trigger resource exhaustion and perform a denial of service (DoS) attack.
6) Improper Authentication (CVE-ID: CVE-2020-15136)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag.
7) Improper Authentication (CVE-ID: N/A)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass endpoint authentication.
The vulnerability exists due to improper authentication in gateway endpoint authentication when handling endpoints discovered from DNS SRV records after their authentication settings change. A remote user can cause the gateway to continue trusting an endpoint that is no longer authenticated to bypass endpoint authentication.
The gateway authenticates detected endpoints only once.
8) Improper Authentication (CVE-ID: N/A)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass endpoint authentication.
The vulnerability exists due to improper authentication in the gateway endpoint authentication logic when processing endpoints detected from DNS SRV records. A remote user can change an endpoint's authentication settings after the initial validation to bypass endpoint authentication.
The gateway authenticates detected endpoints only once and continues to trust them after their authentication settings change.
9) Cleartext storage of sensitive information (CVE-ID: N/A)
CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to plaintext storage of credentials in wal log entries when processing user authentication. A local user can read insecurely stored wal log files to disclose sensitive information.
User credentials are written to wal entries on each user authentication.
10) Use of a broken or risky cryptographic algorithm (CVE-ID: N/A)
CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to weaken transport layer security protections.
The vulnerability exists due to use of insecure cryptographic algorithms in the TLS cipher suites configuration when establishing TLS connections. A remote attacker can negotiate an insecure cipher suite to weaken transport layer security protections.
11) Improper Certificate Validation (CVE-ID: N/A)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to connect to an endpoint that does not accept TLS connections.
The vulnerability exists due to improper certificate validation in gateway TLS endpoint validation when validating endpoints with the --discovery-srv flag enabled. A remote attacker can provide a reachable TCP endpoint over an HTTPS URL to connect to an endpoint that does not accept TLS connections.
Exploitation requires use of the gateway start command with the --discovery-srv flag enabled.
12) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in service discovery when processing a negative cluster size value. A remote attacker can provide a negative cluster size value to cause a denial of service.
13) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in parseCompactionRetention in embed/etcd.go when processing a negative auto compaction retention value. A local user can supply a negative retention value to cause a denial of service.
The issue can trigger a history compaction loop, resulting in increased CPU usage and log spam.
14) Insufficient Logging (CVE-ID: N/A)
CWE-ID: CWE-778 - Insufficient Logging
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause misleading audit logs.
The vulnerability exists due to improper logging in Authenticate endpoint when handling authentication attempts for users with CN-based authentication only. A remote user can send an authentication request to cause misleading audit logs.
The issue affects users who have no password and authenticate only through a client certificate.
Remediation
Install update from vendor's website.
References
- https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh
- https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2
- https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92
- https://github.com/etcd-io/etcd/security/advisories/GHSA-m332-53r6-2w93
- https://github.com/etcd-io/etcd/security/advisories/GHSA-2xhq-gv6c-p224
- https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md
- https://github.com/etcd-io/etcd/security/advisories/GHSA-wr2v-9rpq-c35q
- https://github.com/etcd-io/etcd/security/advisories/GHSA-h8g9-6gvh-5mrc
- https://github.com/etcd-io/etcd/security/advisories/GHSA-528j-9r78-wffx
- https://github.com/etcd-io/etcd/security/advisories/GHSA-5x4g-q5rc-36jp
- https://github.com/etcd-io/etcd/security/advisories/GHSA-j86v-2vjr-fg8f
- https://github.com/etcd-io/etcd/security/advisories/GHSA-9gp7-6833-wv89
- https://github.com/etcd-io/etcd/security/advisories/GHSA-pm3m-32r3-7mfh
- https://github.com/etcd-io/etcd/security/advisories/GHSA-vjg6-93fv-qv64