Description In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.
CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H Exploitability: 3.1 | Impact: 4.0 Attack Vector: Network
Complexity: Low
Privileges: Low
User Interaction: None
Scope: Changed
Confidentiality: None
Integrity: None
Availability: High
Affected Packages4 packages ▶ Debian etcd < 3.3.25+dfsg-5 +3 Also affects: Fedora 32
🔴 Vulnerability Details6 OSV Etcd Gateway can include itself as an endpoint resulting in resource exhaustion ↗ 2024-01-31 ▶ GHSA Etcd Gateway can include itself as an endpoint resulting in resource exhaustion ↗ 2024-01-31 ▶ OSV etcd vulnerabilities ↗ 2022-09-22 ▶ OSV etcd vulnerabilities ↗ 2022-09-22 ▶ OSV CVE-2020-15114: In etcd before versions 3 ↗ 2020-08-06 ▶ Show 1 more
📋 Vendor Advisories5 Ubuntu etcd vulnerabilities ↗ 2022-09-22 ▶ Ubuntu etcd vulnerabilities ↗ 2022-09-22 ▶ Microsoft Denial of Service in etcd ↗ 2020-08-11 ▶ Red Hat etcd: gateway can include itself as an endpoint resulting in resource exhaustion and leads to DoS ↗ 2020-08-05 ▶ Debian CVE-2020-15114: etcd - In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP prox... ↗ 2020 ▶
💬 Community2 Bugzilla CVE-2020-15114 etcd: gateway can include itself as an endpoint resulting in resource exhaustion and leads to DoS [fedora-all] ↗ 2020-08-14 ▶ Bugzilla CVE-2020-15114 etcd: gateway can include itself as an endpoint resulting in resource exhaustion and leads to DoS ↗ 2020-08-14 ▶