cbcvebase.
CVE-2020-15113
published 2020-08-05

CVE-2020-15113: In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically…

PriorityP433high7.1CVSS 3.1
AVLACLPRLUINSUCHIHAN
EPSS
0.23%
13.6th percentile
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).

Affected

17 ranges
VendorProductVersion rangeFixed in
debianetcd< etcd 3.3.25+dfsg-5 (bookworm)etcd 3.3.25+dfsg-5 (bookworm)
etcd-ioetcd< 3.3.233.3.23
etcd-ioetcd< 3.4.103.4.10
etcdetcd< 3.3.233.3.23
etcdetcd>= 0 < 3.3.25+dfsg-53.3.25+dfsg-5
etcdetcd>= 0 < 3.3.25+dfsg-53.3.25+dfsg-5
etcdetcd>= 0 < 3.3.25+dfsg-53.3.25+dfsg-5
etcdetcd>= 0 < 3.3.25+dfsg-53.3.25+dfsg-5
etcdetcd>= 0 < 3.2.26+dfsg-6ubuntu0.13.2.26+dfsg-6ubuntu0.1
etcdetcd>= 0 < 3.2.17+dfsg-1ubuntu0.1~esm13.2.17+dfsg-1ubuntu0.1~esm1
etcdetcd>= 3.4.0 < 3.4.103.4.10
fedoraprojectfedora
github.cometcd-io_etcd>= 0 < 3.3.233.3.23
github.cometcd-io_etcd>= 3.4.0-rc.0 < 3.4.103.4.10
msrccbl2_etcd_3.5.0-3_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.03.6LOWAV:L/AC:L/Au:N/C:P/I:P/A:N
osv7.1HIGH
vendor_msrc7.1HIGH
vendor_ubuntu6.5MEDIUM
vendor_debian5.7MEDIUM
vendor_redhat5.7MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.