#VU75512 Improper Authorization in etcd


Published: 2023-04-26

Vulnerability identifier: #VU75512

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-28235

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
etcd
Server applications / Database software

Vendor: etcd-io

Description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to missing authorization to the "/debug" feature. A remote non-authenticated attacker can access the "/debug/requests" endpoint and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

etcd: 3.4.0 - 3.5.7

External links
http://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png
http://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png
http://github.com/etcd-io/etcd/pull/15648

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management
Ubuntu update for etcd
Red Hat OpenStack Platform 17 update for etcd
Red Hat OpenStack Platform 16 update for etcd
Red Hat OpenStack Platform 16 update for etcd
Improper authorization in IBM CICS TX Standard
Improper authorization in IBM CICS TX Advanced
Missing authorization in Etcd