etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 02:53
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2019-01-14 19:29
Updated : 2024-02-28 16:48
NVD link : CVE-2018-16886
Mitre link : CVE-2018-16886
CVE.ORG link : CVE-2018-16886
JSON object : View
Products Affected
redhat
- enterprise_linux_desktop
- enterprise_linux_server
- enterprise_linux_workstation
fedoraproject
- fedora
etcd
- etcd
CWE
CWE-287
Improper Authentication