MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg2eHgtcG14aC0zd2dw

High EPSS: 0.00724% (0.71817 Percentile) EPSS:

Permalink JSON

go.etcd.io/etcd Authentication Bypass

Affected Packages	Affected Versions	Fixed Versions
go:go.etcd.io/etcd PURL: `pkg:go/go.etcd.io%2Fetcd`	< 0.5.0-alpha.5.0.20190108173120-83c051b701d3	0.5.0-alpha.5.0.20190108173120-83c051b701d3
6,929 Dependent packages 39,452 Dependent repositories Affected Version Ranges All affected versions v0.1.0, v0.1.1, v0.1.2, v0.2.0, v0.2.0-rc0, v0.2.0-rc1, v0.2.0-rc2, v0.2.0-rc3, v0.2.0-rc4, v0.3.0, v0.4.0, v0.4.1, v0.4.2, v0.4.3, v0.4.4, v0.4.5, v0.4.6, v0.4.7, v0.4.8, v0.4.9, v0.5.0-alpha.0, v0.5.0-alpha.1, v0.5.0-alpha.2, v0.5.0-alpha.3, v0.5.0-alpha.4, v0.5.0-alpha.5 All unaffected versions v2.0.0+incompatible, v2.0.1+incompatible, v2.0.2+incompatible, v2.0.3+incompatible, v2.0.4+incompatible, v2.0.5+incompatible, v2.0.6+incompatible, v2.0.7+incompatible, v2.0.8+incompatible, v2.0.9+incompatible, v2.0.10+incompatible, v2.0.11+incompatible, v2.0.12+incompatible, v2.0.13+incompatible, v2.1.0+incompatible, v2.1.1+incompatible, v2.1.2+incompatible, v2.1.3+incompatible, v2.2.0+incompatible, v2.2.1+incompatible, v2.2.2+incompatible, v2.2.3+incompatible, v2.2.4+incompatible, v2.2.5+incompatible, v2.3.0+incompatible, v2.3.1+incompatible, v2.3.2+incompatible, v2.3.3+incompatible, v2.3.4+incompatible, v2.3.5+incompatible, v2.3.6+incompatible, v2.3.7+incompatible, v2.3.8+incompatible, v3.0.0+incompatible, v3.0.1+incompatible, v3.0.2+incompatible, v3.0.3+incompatible, v3.0.4+incompatible, v3.0.5+incompatible, v3.0.6+incompatible, v3.0.7+incompatible, v3.0.8+incompatible, v3.0.9+incompatible, v3.0.10+incompatible, v3.0.11+incompatible, v3.0.12+incompatible, v3.0.13+incompatible, v3.0.14+incompatible, v3.0.15+incompatible, v3.0.16+incompatible, v3.0.17+incompatible, v3.1.0+incompatible, v3.1.1+incompatible, v3.1.2+incompatible, v3.1.3+incompatible, v3.1.4+incompatible, v3.1.5+incompatible, v3.1.6+incompatible, v3.1.7+incompatible, v3.1.8+incompatible, v3.1.9+incompatible, v3.1.10+incompatible, v3.1.11+incompatible, v3.1.12+incompatible, v3.1.13+incompatible, v3.1.14+incompatible, v3.1.15+incompatible, v3.1.16+incompatible, v3.1.17+incompatible, v3.1.18+incompatible, v3.1.19+incompatible, v3.1.20+incompatible, v3.2.0+incompatible, v3.2.1+incompatible, v3.2.2+incompatible, v3.2.3+incompatible, v3.2.4+incompatible, v3.2.5+incompatible, v3.2.6+incompatible, v3.2.7+incompatible, v3.2.8+incompatible, v3.2.9+incompatible, v3.2.10+incompatible, v3.2.11+incompatible, v3.2.12+incompatible, v3.2.13+incompatible, v3.2.14+incompatible, v3.2.15+incompatible, v3.2.16+incompatible, v3.2.17+incompatible, v3.2.18+incompatible, v3.2.19+incompatible, v3.2.20+incompatible, v3.2.21+incompatible, v3.2.22+incompatible, v3.2.23+incompatible, v3.2.24+incompatible, v3.2.25+incompatible, v3.2.26+incompatible, v3.2.27+incompatible, v3.2.28+incompatible, v3.2.29+incompatible, v3.2.30+incompatible, v3.2.31+incompatible, v3.2.32+incompatible, v3.3.0+incompatible, v3.3.1+incompatible, v3.3.2+incompatible, v3.3.3+incompatible, v3.3.4+incompatible, v3.3.5+incompatible, v3.3.6+incompatible, v3.3.7+incompatible, v3.3.8+incompatible, v3.3.9+incompatible, v3.3.10+incompatible, v3.3.11+incompatible, v3.3.12+incompatible, v3.3.13+incompatible, v3.3.15+incompatible, v3.3.16+incompatible, v3.3.17+incompatible, v3.3.18+incompatible, v3.3.19+incompatible, v3.3.20+incompatible, v3.3.21+incompatible, v3.3.22+incompatible, v3.3.24+incompatible, v3.3.25+incompatible, v3.3.26+incompatible, v3.3.27+incompatible
go:go.etcd.io/etcd/v3 PURL: `pkg:go/go.etcd.io%2Fetcd%2Fv3`	>= 3.3.0, < 3.3.11, >= 3.2.0, < 3.2.26	3.3.11, 3.2.26
466 Dependent packages 1,448 Dependent repositories Affected Version Ranges All affected versions v3.2.0, v3.2.0-rc.0, v3.2.0-rc.1, v3.2.1, v3.2.2, v3.2.3, v3.2.4, v3.2.5, v3.2.6, v3.2.7, v3.2.8, v3.2.9, v3.2.10, v3.2.11, v3.2.12, v3.2.13, v3.2.14, v3.2.15, v3.2.16, v3.2.17, v3.2.18, v3.2.19, v3.2.20, v3.2.21, v3.2.22, v3.2.23, v3.2.24, v3.2.25, v3.3.0, v3.3.0-rc.0, v3.3.0-rc.1, v3.3.0-rc.2, v3.3.0-rc.3, v3.3.0-rc.4, v3.3.1, v3.3.2, v3.3.3, v3.3.4, v3.3.5, v3.3.6, v3.3.7, v3.3.8, v3.3.9, v3.3.10 All unaffected versions v3.0.0, v3.0.1, v3.0.2, v3.0.3, v3.0.4, v3.0.5, v3.0.6, v3.0.7, v3.0.8, v3.0.9, v3.0.10, v3.0.11, v3.0.12, v3.0.13, v3.0.14, v3.0.15, v3.0.16, v3.0.17, v3.1.0, v3.1.1, v3.1.2, v3.1.3, v3.1.4, v3.1.5, v3.1.6, v3.1.7, v3.1.8, v3.1.9, v3.1.10, v3.1.11, v3.1.12, v3.1.13, v3.1.14, v3.1.15, v3.1.16, v3.1.17, v3.1.18, v3.1.19, v3.1.20, v3.2.26, v3.2.27, v3.2.28, v3.2.29, v3.2.30, v3.2.31, v3.2.32, v3.3.11, v3.3.12, v3.3.13, v3.3.14, v3.3.15, v3.3.16, v3.3.17, v3.3.18, v3.3.19, v3.3.20, v3.3.21, v3.3.22, v3.3.23, v3.3.24, v3.3.25, v3.3.26, v3.3.27, v3.4.0, v3.4.1, v3.4.2, v3.4.3, v3.4.4, v3.4.5, v3.4.6, v3.4.7, v3.4.8, v3.4.9, v3.4.10, v3.4.11, v3.4.12, v3.4.13, v3.4.14, v3.4.15, v3.4.16, v3.4.17, v3.4.18, v3.4.19, v3.4.20, v3.4.21, v3.4.22, v3.4.23, v3.4.24, v3.4.25, v3.4.26, v3.4.27, v3.4.28, v3.4.29, v3.4.30, v3.4.31, v3.4.32, v3.4.33, v3.4.34, v3.4.35, v3.4.36, v3.4.37, v3.4.38, v3.5.0, v3.5.1, v3.5.2, v3.5.3, v3.5.4, v3.5.5, v3.5.6, v3.5.7, v3.5.8, v3.5.9, v3.5.10, v3.5.11, v3.5.12, v3.5.13, v3.5.14, v3.5.15, v3.5.16, v3.5.17, v3.5.18, v3.5.19, v3.5.20, v3.5.21, v3.5.22, v3.5.23, v3.5.24, v3.6.0, v3.6.1, v3.6.2, v3.6.3, v3.6.4, v3.6.5

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

References:

Identifiers

GHSA-h6xx-pmxh-3wgp

CVE-2018-16886

Risk

Severity

High

EPSS

EPSS Percentage: 0.00724

EPSS Percentile: 0.71817

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/etcd-io/etcd

Date and time

Published

over 3 years ago

Updated

about 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories