Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/etcd-io/etcd: CVE-2023-32082 #1771

Closed
GoVulnBot opened this issue May 11, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/etcd-io/etcd: CVE-2023-32082 #1771

GoVulnBot opened this issue May 11, 2023 · 3 comments
Assignees
@jba
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2023-32082 references github.com/etcd-io/etcd, which may be a Go module.

Description:
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/etcd-io/etcd
    packages:
      - package: etcd
description: |
    etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.
cves:
  - CVE-2023-32082
references:
  - advisory: https://github.com/etcd-io/etcd/security/advisories/GHSA-3p4g-rcw5-8298
  - fix: https://github.com/etcd-io/etcd/pull/15656
  - web: https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.4.md
  - web: https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md
@jba jba self-assigned this May 14, 2023
@jba jba added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label May 14, 2023
@jba
Copy link
Contributor

jba commented May 14, 2023

Fix touches only the etcserver package, which has no importers.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/495335 mentions this issue: data/excluded: batch add GO-2023-1775, GO-2023-1778, GO-2023-1774, GO-2023-1771, GO-2023-1769, GO-2023-1768, GO-2023-1779

@GoVulnBot GoVulnBot mentioned this issue Aug 22, 2023
Closed
This was referenced Nov 8, 2023
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Jan 31, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@jba jba

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @jba @GoVulnBot