NVD published security issue in Etcd-io v.3.4.10 CVE-2021-28235

67 views

Skip to first unread message

Alexander Bergmann

unread,

Apr 5, 2023, 3:36:12 AM4/5/23

to etcd-dev

Hi etcd folks,

The following CVE was published at NVD yesterday. It's a privilege escalation without any direct details.

https://nvd.nist.gov/vuln/detail/CVE-2021-28235

There are only 2 screenshots attached and I couldn't find any upstream reference. That's the reason I'm posting the question here if you are ware of this problem or not?

Best regards,

Alexander Bergmann

Benjamin Wang

unread,

Apr 6, 2023, 6:42:32 AM4/6/23

to etcd-dev

Thank you Alexander!

It's a valid CVE, and we already resolved it in https://github.com/etcd-io/etcd/pull/15648.

The fix will be backported to 3.5 and 3.4, and eventually included in 3.5.8 and 3.4.25.

FYI. The issue can only happen when all the following conditions are true:

The auth is enabled;
The log level is set to "debug";
Clients send authentication request to etcdserver with username & password. Note that client SDK sends authentication request automatically when reading or writing data.

Regards,

Benjamin Wang

Reply all

Reply to author

Forward

0 new messages