NotCVE - vendor:"Etcd" product:"Etcd" version:" >= 3.4.0

Page 2 of 7 results (0.010 seconds)

CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0

CVE-2020-15113 – Improper Preservation of Permissions in etcd

https://notcve.org/view.php?id=CVE-2020-15113

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700). En etcd versiones anteriores a 3.3.23 y 3.4.10, determinadas rutas de directorio son creadas (directorio de datos de etcd y la ruta de directorio cuando se proporcionaba para generar automáticamente certificados autofirmados para conexiones TLS con clientes) con permisos de acceso restringido (700) usando os.MkdirAll. Esta función no realiza ninguna comprobación de permisos cuando una ruta de directorio dada ya existe. • https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP https://access.redhat.com/security/cve/CVE-2020-15113 https://bugzilla.redhat.com/show_bug.cgi?id=1868870 • CWE-281: Improper Preservation of Permissions CWE-285: Improper Authorization •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2020-15106 – Improper Input Validation in etcd

https://notcve.org/view.php?id=CVE-2020-15106

In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL. En etcd versiones anteriores a 3.3.23 y 3.4.10, un segmento grande causa pánico en el método decodeRecord. El tamaño de un registro es almacenado en el campo de longitud de un archivo WAL y no se hace ninguna comprobación adicional en estos datos. • https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP https://access.redhat.com/security/cve/CVE-2020-15106 https://bugzilla.redhat.com/show_bug.cgi?id=1868883 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •

1 2