CVE-2020-15113
Improper Preservation of Permissions in etcd
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).
En etcd versiones anteriores a 3.3.23 y 3.4.10, determinadas rutas de directorio son creadas (directorio de datos de etcd y la ruta de directorio cuando se proporcionaba para generar automáticamente certificados autofirmados para conexiones TLS con clientes) con permisos de acceso restringido (700) usando os.MkdirAll. Esta función no realiza ninguna comprobación de permisos cuando una ruta de directorio dada ya existe. Una posible solución es asegurarse de que los directorios tengan el permiso deseado (700)
A flaw was found in etcd. Certain directory paths are created with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-08-05 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-281: Improper Preservation of Permissions
- CWE-285: Improper Authorization
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Etcd Search vendor "Etcd" | Etcd Search vendor "Etcd" for product "Etcd" | < 3.3.23 Search vendor "Etcd" for product "Etcd" and version " < 3.3.23" | - |
Affected
| ||||||
| Etcd Search vendor "Etcd" | Etcd Search vendor "Etcd" for product "Etcd" | >= 3.4.0 < 3.4.10 Search vendor "Etcd" for product "Etcd" and version " >= 3.4.0 < 3.4.10" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||