Skip to content

Etcd Gateway can include itself as an endpoint resulting in resource exhaustion

High severity GitHub Reviewed Published Aug 5, 2020 in etcd-io/etcd • Updated Jan 31, 2024

Package

gomod go.etcd.io/etcd (Go)

Affected versions

>= 3.4.0-rc.0, <= 3.4.9
< 3.3.23

Patched versions

3.4.10
3.3.23

Description

Vulnerability type

Denial of Service

Detail

The etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.

References

Find out more on this vulnerability in the security audit report

For more information

If you have any questions or comments about this advisory:

References

@spzala spzala published to etcd-io/etcd Aug 5, 2020
Published by the National Vulnerability Database Aug 6, 2020
Published to the GitHub Advisory Database Jan 31, 2024
Reviewed Jan 31, 2024
Last updated Jan 31, 2024

Severity

High
7.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2020-15114

GHSA ID

GHSA-2xhq-gv6c-p224

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.