github.com/etcd-io/etcd is vulnerable to Information Disclosure. The vulnerability exists in the LeaseTimeToLive
function of v3_server.go
because it allows access to key names (not value) associated with a lease when the Keys
parameter is true
, even if the user doesn’t have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC).
github.com/advisories/GHSA-3p4g-rcw5-8298
github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.4.md
github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md
github.com/etcd-io/etcd/commit/71e85e9ded040de758dfefaa641621d152d85248
github.com/etcd-io/etcd/commit/d1b1aa9dbe8065fb2cb36fe035daf701ccabc4e0
github.com/etcd-io/etcd/pull/15656
github.com/etcd-io/etcd/security/advisories/GHSA-3p4g-rcw5-8298