CVE-2020-15106
published 2020-08-05CVE-2020-15106: In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file…
PriorityP432medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.29%
66.6th percentile
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | etcd | < etcd 3.3.25+dfsg-5 (bookworm) | etcd 3.3.25+dfsg-5 (bookworm) |
| etcd-io | etcd | < 3.3.23 | 3.3.23 |
| etcd-io | etcd | < 3.4.10 | 3.4.10 |
| etcd | etcd | < 3.3.23 | 3.3.23 |
| etcd | etcd | >= 0 < 3.3.25+dfsg-5 | 3.3.25+dfsg-5 |
| etcd | etcd | >= 0 < 3.3.25+dfsg-5 | 3.3.25+dfsg-5 |
| etcd | etcd | >= 0 < 3.3.25+dfsg-5 | 3.3.25+dfsg-5 |
| etcd | etcd | >= 0 < 3.3.25+dfsg-5 | 3.3.25+dfsg-5 |
| etcd | etcd | >= 0 < 3.2.26+dfsg-6ubuntu0.1 | 3.2.26+dfsg-6ubuntu0.1 |
| etcd | etcd | >= 0 < 3.2.17+dfsg-1ubuntu0.1~esm1 | 3.2.17+dfsg-1ubuntu0.1~esm1 |
| etcd | etcd | >= 3.4.0 < 3.4.10 | 3.4.10 |
| fedoraproject | fedora | — | — |
| go.etcd.io | etcd | >= 0 < 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4 | 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4 |
| go.etcd.io | etcd_v3 | >= 0 < 3.3.23 | 3.3.23 |
| go.etcd.io | etcd_v3 | >= 3.4.0 < 3.4.10 | 3.4.10 |
| msrc | cbl2_etcd_3.5.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Panic due to malformed WALs in go.etcd.io/etcd
osv·2023-02-07
CVE-2020-15106 [LOW] Panic due to malformed WALs in go.etcd.io/etcd
Panic due to malformed WALs in go.etcd.io/etcd
### Vulnerability type
Data Validation
### Detail
The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
### Specific Go Packages Affected
github.com/etcd-io/etcd/wal
### References
Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)
### For more information
If you have any questions or comments about this advisory:
* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md
GHSA
Panic due to malformed WALs in go.etcd.io/etcd
ghsa·2023-02-07
CVE-2020-15106 [LOW] CWE-20 Panic due to malformed WALs in go.etcd.io/etcd
Panic due to malformed WALs in go.etcd.io/etcd
### Vulnerability type
Data Validation
### Detail
The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
### Specific Go Packages Affected
github.com/etcd-io/etcd/wal
### References
Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)
### For more information
If you have any questions or comments about this advisory:
* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md
OSV
etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic
osv·2022-10-06
CVE-2020-15106 [MEDIUM] etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic
etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic
### Vulnerability type
Data Validation
### Detail
In the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.
### References
Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)
### For more information
If you have any questions or comments about this advisory:
* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md)
OSV
etcd vulnerabilities
osv·2022-09-22·CVSS 6.5
CVE-2020-15106 [MEDIUM] etcd vulnerabilities
etcd vulnerabilities
It was discovered that etcd incorrectly handled certain specially crafted
WAL files. An attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15106, CVE-2020-15112)
It was discovered that etcd incorrectly handled directory permissions when
trying to create a directory that exists already. An attacker could
possibly use this issue to obtain sensitive information. (CVE-2020-15113)
It was discovered that etcd incorrectly handled endpoint setup. An
attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15114)
OSV
etcd vulnerabilities
osv·2022-09-22·CVSS 6.5
CVE-2020-15106 [MEDIUM] etcd vulnerabilities
etcd vulnerabilities
USN-5628-1 fixed vulnerabilities in etcd.
This update provides the corresponding updates for Ubuntu 18.04 ESM.
Original advisory details:
It was discovered that etcd incorrectly handled certain specially crafted
WAL files. An attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15106, CVE-2020-15112)
It was discovered that etcd incorrectly handled directory permissions when
trying to create a directory that exists already. An attacker could
possibly use this issue to obtain sensitive information. (CVE-2020-15113)
It was discovered that etcd incorrectly handled endpoint setup. An
attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15114)
OSV
Panic due to malformed WALs in go.etcd.io/etcd
osv·2021-04-14
CVE-2020-15106 Panic due to malformed WALs in go.etcd.io/etcd
Panic due to malformed WALs in go.etcd.io/etcd
Malformed WALs can be constructed such that WAL.ReadAll can cause attempted out of bounds reads, or creation of arbitrarily sized slices, which may be used as a DoS vector.
OSV
CVE-2020-15106: In etcd before versions 3
osv·2020-08-05·CVSS 6.5
CVE-2020-15106 [MEDIUM] CVE-2020-15106: In etcd before versions 3
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
Ubuntu
etcd vulnerabilities
vendor_ubuntu·2022-09-22·CVSS 6.5
CVE-2020-15113 [MEDIUM] etcd vulnerabilities
Title: etcd vulnerabilities
Summary: Several security issues were fixed in etcd.
It was discovered that etcd incorrectly handled certain specially crafted
WAL files. An attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15106, CVE-2020-15112)
It was discovered that etcd incorrectly handled directory permissions when
trying to create a directory that exists already. An attacker could
possibly use this issue to obtain sensitive information. (CVE-2020-15113)
It was discovered that etcd incorrectly handled endpoint setup. An
attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15114)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
etcd vulnerabilities
vendor_ubuntu·2022-09-22·CVSS 6.5
CVE-2020-15113 [MEDIUM] etcd vulnerabilities
Title: etcd vulnerabilities
Summary: Several security issues were fixed in etcd.
USN-5628-1 fixed vulnerabilities in etcd.
This update provides the corresponding updates for Ubuntu 18.04 ESM.
Original advisory details:
It was discovered that etcd incorrectly handled certain specially crafted
WAL files. An attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15106, CVE-2020-15112)
It was discovered that etcd incorrectly handled directory permissions when
trying to create a directory that exists already. An attacker could
possibly use this issue to obtain sensitive information. (CVE-2020-15113)
It was discovered that etcd incorrectly handled endpoint setup. An
attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15114)
Instructions:
Microsoft
Improper Input Validation in etcd
vendor_msrc·2020-08-11·CVSS 6.5
CVE-2020-15106 [MEDIUM] CWE-20 Improper Input Validation in etcd
Improper Input Validation in etcd
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/e
Red Hat
etcd: Large slice causes panic in decodeRecord method
vendor_redhat·2020-08-05·CVSS 6.5
CVE-2020-15106 [MEDIUM] CWE-400 etcd: Large slice causes panic in decodeRecord method
etcd: Large slice causes panic in decodeRecord method
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
A flaw was found In etcd, where a large slice causes panic in the decodeRecord method. The size of a record is stored in the length field of a WAL file, and no additional validation is performed on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL. The
Debian
CVE-2020-15106: etcd - In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeR...
vendor_debian·2020·CVSS 6.5
CVE-2020-15106 [MEDIUM] CVE-2020-15106: etcd - In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeR...
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
Scope: local
bookworm: resolved (fixed in 3.3.25+dfsg-5)
bullseye: resolved (fixed in 3.3.25+dfsg-5)
forky: resolved (fixed in 3.3.25+dfsg-5)
sid: resolved (fixed in 3.3.25+dfsg-5)
trixie: resolved (fixed in 3.3.25+dfsg-5)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-15106 etcd: large slice causes panic in decodeRecord method [fedora-all]
bugzilla·2020-08-14·CVSS 6.5
CVE-2020-15106 [MEDIUM] CVE-2020-15106 etcd: large slice causes panic in decodeRecord method [fedora-all]
CVE-2020-15106 etcd: large slice causes panic in decodeRecord method [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported vers
Bugzilla
CVE-2020-15106 etcd: Large slice causes panic in decodeRecord method
bugzilla·2020-08-14·CVSS 6.5
CVE-2020-15106 [MEDIUM] CVE-2020-15106 etcd: Large slice causes panic in decodeRecord method
CVE-2020-15106 etcd: Large slice causes panic in decodeRecord method
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
References:
https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2
Discussion:
Created etcd tracking bugs for this issue:
Affects: fedora-all [bug 1868884]
---
Upstream fix: https://github.com/etcd-io/etcd/commit/4571e528f49625d3de3170f219a45c3b3d38c675
---
External References:
https://github.com/etcd-io/etcd/security/advisories/GH
https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/
2020-08-05
Published