CVE-2018-1099 — Improper Input Validation in Etcd

CWE-20 — Improper Input Validation CWE-284 — Improper Access Control CWE-350 — Reliance on Reverse DNS Resolution for a Security-Critical Action9 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 79.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Etcd Go.etcd.io Etcd Redhat Etcd +2 more

Timeline

PublishedApr 3

Latest updateFeb 15

Description

DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶Gogo.etcd.io/etcd< 3.4.0

▶Debianetcd/etcd< 3.4.23-1+2

▶NVDredhat/etcd3.3.1

▶CVEListV5red_hat_inc/etcd3.3.1 and earlier

Also affects: Fedora 30

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

DNS Rebinding in etcd↗2022-02-15

▶

GHSA

DNS Rebinding in etcd↗2022-02-15

▶

CVEList

CVE-2018-1099: DNS rebinding vulnerability found in etcd 3↗2018-04-03

▶

OSV

CVE-2018-1099: DNS rebinding vulnerability found in etcd 3↗2018-04-03

▶

📋Vendor Advisories

Red Hat

etcd: DNS rebinding vulnerability in etcd server↗2018-03-07

▶

Debian

CVE-2018-1099: etcd - DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can con...↗2018

▶

💬Community

Bugzilla

CVE-2018-1098 CVE-2018-1099 etcd: various flaws [fedora-all]↗2018-03-07

▶

Bugzilla

CVE-2018-1099 etcd: DNS rebinding vulnerability in etcd server↗2018-03-07

▶