CVE-2020-15113Improper Preservation of Permissions in Etcd

CWE-281Improper Preservation of PermissionsCWE-285Improper Authorization14 documents9 sources
Severity
7.1HIGHNVD
CNA5.7OSV6.5
EPSS
0.0%
top 93.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Etcd-io EtcdEtcdGithub.com Etcd-io Etcd+1 more
Timeline
PublishedAug 5
Latest updateJan 30

Description

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages5 packages

NVDetcd/etcd3.4.03.4.10+1
CVEListV5etcd-io/etcd< 3.3.23+1
Gogithub.com/etcd-io_etcd3.4.0-rc.03.4.10+1
Debianetcd/etcd< 3.3.25+dfsg-5+3
Ubuntuetcd/etcd< 3.2.26+dfsg-6ubuntu0.1

Also affects: Fedora 32

🔴Vulnerability Details

6
GHSA
Improper Preservation of Permissions in etcd2024-01-30
OSV
Improper Preservation of Permissions in etcd2024-01-30
OSV
etcd vulnerabilities2022-09-22
OSV
etcd vulnerabilities2022-09-22
OSV
CVE-2020-15113: In etcd before versions 32020-08-05

📋Vendor Advisories

5
Ubuntu
etcd vulnerabilities2022-09-22
Ubuntu
etcd vulnerabilities2022-09-22
Microsoft
Improper Preservation of Permissions in etcd2020-08-11
Red Hat
etcd: directories created via os.MkdirAll are not checked for permissions2020-08-05
Debian
CVE-2020-15113: etcd - In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (...2020

💬Community

2
Bugzilla
CVE-2020-15113 etcd: directories created via os.MkdirAll are not checked for permissions2020-08-14
Bugzilla
CVE-2020-15113 etcd: directories created via os.MkdirAll are not checked for permissions [fedora-all]2020-08-14
CVE-2020-15113 — Improper Preservation of Permissions | cvebase