GitHub_MCVELIST:CVE-2023-32082CVE-2023-32082 etcd key name can be accessed via LeaseTimeToLive API
3.1 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
5.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.4%
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when Keys parameter is true, even a user doesn’t have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.
CNA Affected
[
{
"vendor": "etcd-io",
"product": "etcd",
"versions": [
{
"version": "< 3.4.26",
"status": "affected"
},
{
"version": ">= 3.5.0, < 3.5.9",
"status": "affected"
}
]
}
]Related
3.1 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
5.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.4%