Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-28235 (GCVE-0-2021-28235)
Vulnerability from cvelistv5
Published
2023-04-04 00:00
Modified
2025-02-18 17:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:40:13.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://etcd.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/etcd-io/etcd"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/etcd-io/etcd/pull/15648"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-28235",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T17:24:41.838121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T17:09:40.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://etcd.com"
},
{
"url": "https://github.com/etcd-io/etcd"
},
{
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png"
},
{
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png"
},
{
"url": "https://github.com/etcd-io/etcd/pull/15648"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28235",
"datePublished": "2023-04-04T00:00:00.000Z",
"dateReserved": "2021-03-12T00:00:00.000Z",
"dateUpdated": "2025-02-18T17:09:40.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-28235\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-04-04T15:15:08.507\",\"lastModified\":\"2025-02-18T17:15:11.817\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:etcd:etcd:3.4.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"423FB650-0346-4036-B0CE-D07170756FA4\"}]}]}],\"references\":[{\"url\":\"http://etcd.com\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/etcd-io/etcd\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/etcd-io/etcd/pull/15648\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"http://etcd.com\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/etcd-io/etcd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/etcd-io/etcd/pull/15648\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://etcd.com\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/etcd-io/etcd\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/etcd-io/etcd/pull/15648\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T21:40:13.808Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-28235\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-14T17:24:41.838121Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-14T17:25:10.421Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"http://etcd.com\"}, {\"url\": \"https://github.com/etcd-io/etcd\"}, {\"url\": \"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png\"}, {\"url\": \"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png\"}, {\"url\": \"https://github.com/etcd-io/etcd/pull/15648\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-04-11T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2021-28235\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-18T17:09:40.620Z\", \"dateReserved\": \"2021-03-12T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2023-04-04T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
ghsa-gmph-wf7j-9gcm
Vulnerability from github
Published
2023-04-04 15:30
Modified
2023-04-11 21:32
Severity ?
VLAI Severity ?
Summary
Etcd-io Improper Authentication vulnerability
Details
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.etcd.io/etcd/v3"
},
"versions": [
"3.4.10"
]
}
],
"aliases": [
"CVE-2021-28235"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-11T21:32:54Z",
"nvd_published_at": "2023-04-04T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.\n\nThis has been fixed in v.[3.5.8](https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#etcd-server) and was also backported to [3.4](https://github.com/etcd-io/etcd/pull/15655) and [3.5](https://github.com/etcd-io/etcd/pull/15653).",
"id": "GHSA-gmph-wf7j-9gcm",
"modified": "2023-04-11T21:32:54Z",
"published": "2023-04-04T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28235"
},
{
"type": "WEB",
"url": "https://github.com/etcd-io/etcd/pull/15648"
},
{
"type": "PACKAGE",
"url": "https://github.com/etcd-io/etcd"
},
{
"type": "WEB",
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png"
},
{
"type": "WEB",
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png"
},
{
"type": "WEB",
"url": "http://etcd.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Etcd-io Improper Authentication vulnerability"
}
opensuse-su-2024:12896-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
etcd-3.5.8-1.1 on GA media
Notes
Title of the patch
etcd-3.5.8-1.1 on GA media
Description of the patch
These are all security issues fixed in the etcd-3.5.8-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-12896
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "etcd-3.5.8-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the etcd-3.5.8-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12896",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12896-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28235 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28235/"
}
],
"title": "etcd-3.5.8-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12896-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.8-1.1.aarch64",
"product": {
"name": "etcd-3.5.8-1.1.aarch64",
"product_id": "etcd-3.5.8-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.8-1.1.aarch64",
"product": {
"name": "etcdctl-3.5.8-1.1.aarch64",
"product_id": "etcdctl-3.5.8-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.8-1.1.aarch64",
"product": {
"name": "etcdutl-3.5.8-1.1.aarch64",
"product_id": "etcdutl-3.5.8-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.8-1.1.ppc64le",
"product": {
"name": "etcd-3.5.8-1.1.ppc64le",
"product_id": "etcd-3.5.8-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.8-1.1.ppc64le",
"product": {
"name": "etcdctl-3.5.8-1.1.ppc64le",
"product_id": "etcdctl-3.5.8-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.8-1.1.ppc64le",
"product": {
"name": "etcdutl-3.5.8-1.1.ppc64le",
"product_id": "etcdutl-3.5.8-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.8-1.1.s390x",
"product": {
"name": "etcd-3.5.8-1.1.s390x",
"product_id": "etcd-3.5.8-1.1.s390x"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.8-1.1.s390x",
"product": {
"name": "etcdctl-3.5.8-1.1.s390x",
"product_id": "etcdctl-3.5.8-1.1.s390x"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.8-1.1.s390x",
"product": {
"name": "etcdutl-3.5.8-1.1.s390x",
"product_id": "etcdutl-3.5.8-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.8-1.1.x86_64",
"product": {
"name": "etcd-3.5.8-1.1.x86_64",
"product_id": "etcd-3.5.8-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.8-1.1.x86_64",
"product": {
"name": "etcdctl-3.5.8-1.1.x86_64",
"product_id": "etcdctl-3.5.8-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.8-1.1.x86_64",
"product": {
"name": "etcdutl-3.5.8-1.1.x86_64",
"product_id": "etcdutl-3.5.8-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.8-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-3.5.8-1.1.aarch64"
},
"product_reference": "etcd-3.5.8-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.8-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-3.5.8-1.1.ppc64le"
},
"product_reference": "etcd-3.5.8-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.8-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-3.5.8-1.1.s390x"
},
"product_reference": "etcd-3.5.8-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.8-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-3.5.8-1.1.x86_64"
},
"product_reference": "etcd-3.5.8-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.8-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcdctl-3.5.8-1.1.aarch64"
},
"product_reference": "etcdctl-3.5.8-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.8-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcdctl-3.5.8-1.1.ppc64le"
},
"product_reference": "etcdctl-3.5.8-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.8-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcdctl-3.5.8-1.1.s390x"
},
"product_reference": "etcdctl-3.5.8-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.8-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcdctl-3.5.8-1.1.x86_64"
},
"product_reference": "etcdctl-3.5.8-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.8-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcdutl-3.5.8-1.1.aarch64"
},
"product_reference": "etcdutl-3.5.8-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.8-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcdutl-3.5.8-1.1.ppc64le"
},
"product_reference": "etcdutl-3.5.8-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.8-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcdutl-3.5.8-1.1.s390x"
},
"product_reference": "etcdutl-3.5.8-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.8-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcdutl-3.5.8-1.1.x86_64"
},
"product_reference": "etcdutl-3.5.8-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-28235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28235"
}
],
"notes": [
{
"category": "general",
"text": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:etcd-3.5.8-1.1.aarch64",
"openSUSE Tumbleweed:etcd-3.5.8-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-3.5.8-1.1.s390x",
"openSUSE Tumbleweed:etcd-3.5.8-1.1.x86_64",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.aarch64",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.ppc64le",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.s390x",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.x86_64",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.aarch64",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.ppc64le",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.s390x",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28235",
"url": "https://www.suse.com/security/cve/CVE-2021-28235"
},
{
"category": "external",
"summary": "SUSE Bug 1210138 for CVE-2021-28235",
"url": "https://bugzilla.suse.com/1210138"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:etcd-3.5.8-1.1.aarch64",
"openSUSE Tumbleweed:etcd-3.5.8-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-3.5.8-1.1.s390x",
"openSUSE Tumbleweed:etcd-3.5.8-1.1.x86_64",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.aarch64",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.ppc64le",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.s390x",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.x86_64",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.aarch64",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.ppc64le",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.s390x",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:etcd-3.5.8-1.1.aarch64",
"openSUSE Tumbleweed:etcd-3.5.8-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-3.5.8-1.1.s390x",
"openSUSE Tumbleweed:etcd-3.5.8-1.1.x86_64",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.aarch64",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.ppc64le",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.s390x",
"openSUSE Tumbleweed:etcdctl-3.5.8-1.1.x86_64",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.aarch64",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.ppc64le",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.s390x",
"openSUSE Tumbleweed:etcdutl-3.5.8-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-28235"
}
]
}
opensuse-su-2024:13370-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
etcd-for-k8s1.26-3.5.9-1.1 on GA media
Notes
Title of the patch
etcd-for-k8s1.26-3.5.9-1.1 on GA media
Description of the patch
These are all security issues fixed in the etcd-for-k8s1.26-3.5.9-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13370
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "etcd-for-k8s1.26-3.5.9-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the etcd-for-k8s1.26-3.5.9-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13370",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13370-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28235 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28235/"
}
],
"title": "etcd-for-k8s1.26-3.5.9-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13370-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.26-3.5.9-1.1.aarch64",
"product": {
"name": "etcd-for-k8s1.26-3.5.9-1.1.aarch64",
"product_id": "etcd-for-k8s1.26-3.5.9-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.26-3.5.9-1.1.ppc64le",
"product": {
"name": "etcd-for-k8s1.26-3.5.9-1.1.ppc64le",
"product_id": "etcd-for-k8s1.26-3.5.9-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.26-3.5.9-1.1.s390x",
"product": {
"name": "etcd-for-k8s1.26-3.5.9-1.1.s390x",
"product_id": "etcd-for-k8s1.26-3.5.9-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.26-3.5.9-1.1.x86_64",
"product": {
"name": "etcd-for-k8s1.26-3.5.9-1.1.x86_64",
"product_id": "etcd-for-k8s1.26-3.5.9-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.26-3.5.9-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.aarch64"
},
"product_reference": "etcd-for-k8s1.26-3.5.9-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.26-3.5.9-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.ppc64le"
},
"product_reference": "etcd-for-k8s1.26-3.5.9-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.26-3.5.9-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.s390x"
},
"product_reference": "etcd-for-k8s1.26-3.5.9-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.26-3.5.9-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.x86_64"
},
"product_reference": "etcd-for-k8s1.26-3.5.9-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-28235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28235"
}
],
"notes": [
{
"category": "general",
"text": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.aarch64",
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.s390x",
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28235",
"url": "https://www.suse.com/security/cve/CVE-2021-28235"
},
{
"category": "external",
"summary": "SUSE Bug 1210138 for CVE-2021-28235",
"url": "https://bugzilla.suse.com/1210138"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.aarch64",
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.s390x",
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.aarch64",
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.s390x",
"openSUSE Tumbleweed:etcd-for-k8s1.26-3.5.9-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-28235"
}
]
}
opensuse-su-2025:0003-1
Vulnerability from csaf_opensuse
Published
2025-01-07 15:04
Modified
2025-01-07 15:04
Summary
Security update for etcd
Notes
Title of the patch
Security update for etcd
Description of the patch
This update for etcd fixes the following issues:
Update to version 3.5.12:
* Bump golang.org/x/crypto to v0.17+ to address CVE-2023-48795
* test: fix TestHashKVWhenCompacting: ensure all goroutine finished
* print error log when creating peer listener failed
* mvcc: Printing etcd backend database related metrics inside scheduleCompaction function
* dependency: update go version to 1.20.13
* commit bbolt transaction if there is any pending deleting operations
* add tests to test tx delete consistency.
* Don't flock snapshot files
* Backport adding digest for etcd base image.
* Add a unit tests and missing flags in etcd help.
* Add missing flag in etcd help.
* Backport testutils.ExecuteUntil to 3.5 branch
* member replace e2e test
* Check if be is nil to avoid panic when be is overriden with nil by recoverSnapshotBackend on line 517
* Don't redeclare err and snapshot variable, fixing validation of consistent index and closing database on defer
* test: enable gofail in release e2e test.
* [3.5] backport health check e2e tests.
* tests: Extract e2e cluster setup to separate package
- Update to version 3.5.11:
* etcdserver: add linearizable_read check to readyz.
* etcd: Update go version to 1.20.12
* server: disable redirects in peer communication
* etcdserver: add metric counters for livez/readyz health checks.
* etcdserver: add livez and ready http endpoints for etcd.
* http health check bug fixes
* server: Split metrics and health code
* server: Cover V3 health with tests
* server: Refactor health checks
* server: Run health check tests in subtests
* server: Rename test case expect fields
* server: Use named struct initialization in healthcheck test
* Backport server: Don't follow redirects when checking peer urls.
* Backport embed: Add tracing integration test.
* Backport server: Have tracingExporter own resources it initialises.
* Backport server: Add sampling rate to distributed tracing.
* upgrade github.com/stretchr/testify,google.golang.org/genproto/googleapis/api,google.golang.org/grpc to make it consistent
* CVE-2023-47108: Backport go.opentelemetry.io/otel@v1.20.0 and go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.0
* github workflow: run arm64 tests on every push
* etcd: upgrade go version from 1.20.10 to 1.20.11
* bump bbolt to 1.3.8 for etcd 3.5
* 3.5: upgrade gRPC-go to 1.58.3
* Backport corrupt check test fix 'etcd server shouldn't wait for the ready notification infinitely on startup'
* etcdserver: add cluster id check for hashKVHandler
* [release-3.5]: upgrade gRPC-go to v1.52.0
* backport #14125 to release-3.5: Update to grpc-1.47 (and fix the connection-string format)
* Return to default write scheduler since golang.org/x/net@v0.11.0 started using round robin
* Bump go to v1.20.10 Part of https://github.com/etcd-io/etcd/issues/16740
* bump golang.org/x/net to 0.17.0 Part of https://github.com/etcd-io/etcd/issues/16740
* etcd: upgrade go version to 1.20.9
* Remove obsolete http 1.0 version.
* fix:Ensure that go version is only defined in one file for release-3.5
* Fix panic in etcd validate secure endpoints
* dependency: bump golang to 1.20.8
* Backport redirect metrics data into file to reduce output.
* test.sh: increase timeout for grpcproxy test
* test: add v3 curl test to cover maintenance hash/hashkv REST API
* api: fix duplicate gateway url issue
* pkg: add a verification on the pagebytes which must be > 0
* tests: Backport deflake for TestWatchDelay
* tests: Backport deflake for TestPageWriterRandom
* Backport adding unit test for socket options.
* Backport export reuse-port and reuse-address
* Fix goword failure in rafthttp/transport.go.
* Backport update to golang 1.20 minor release.
* bump go version to 1.19.12
* Update workflows to use makefile recipes for unit, integration & e2e-release.
* Backport Makefile recipes for common test commands.
* pkg/flags: fix UniqueURLs'Set to remove duplicates in UniqueURLs'uss
* Backport fix to e2e release version identifcation.
* Backport #14368 to v3.5
* Follow up https://github.com/etcd-io/etcd/pull/16068#discussion_r1263667496
* etcdserver: backport check scheduledCompactKeyName and finishedCompactKeyName before writing hash to release-3.5.
* Backport #13577 Disable auth gracefully without impacting existing watchers.
* bump go version to 1.19.11 to fix CVE GO-2023-1878
* clientv3: create keepAliveCtxCloser goroutine only if ctx can be canceled
* [3.5] etcdutl: fix db double closed
* clientv3: remove v3.WithFirstKey() in Barrier.Wait()
* update etcdctl flag description for snapshot restores
* etcdutl: update description for --mark-compacted and --bump-revision flags in snapshot restore command
* Adding optional revision bump and mark compacted to snapshot restore
* Revert 'Merge pull request #16119 from natusameer/release-3.5'
* Add e2e-arm64.yaml and tests-arm64.yaml to release-3.5 scheduled at 1.30
* Backport .github/workflows: Read .go-version as a step and not separate workflow.
* Add first unit test for authApplierV3
* Early exit auth check on lease puts
* remove stack log when etcdutl restore
* etcdserver: fix corruption check when server has just been compacted
* replace gobin with go install
* [3.5] Backport updating go to latest patch release 1.19.10
* add compact hash check to help
* Fix test of clientv3/naming
* clientv3/naming/endpoints: fix endpoints prefix bug fixes bug with multiple endpoints with same prefix
* grpcproxy: fix memberlist results not update when proxy node down
- Update to version 3.5.9:
* Move go version to dedicated .go-version file
* tests: e2e and integration test for timetolive
* etcdserver: protect lease timetilive with auth
* Backport go update to latest patch release 1.19.9.
* Backport centralising go version for actions workflows.
* server: backport 15743, improved description of --initial-cluster-state flag
- Update to version 3.5.8:
* etcdserver: Guarantee order of requested progress notifications
* etcdserver: verify field 'username' and 'revision' present when decoding a JWT token
* set zap logging to wsproxy
* security: remove password after authenticating the user
* test: add an e2e test to reproduce https://nvd.nist.gov/vuln/detail/CVE-2021-28235
* bump golang to 1.19.8
* server/auth: disallow creating empty permission ranges
* chore: enable strict mode for test CI
* Fixes: #15266 All docker images of Architecture show amd64
* scripts: Add testing of etcd in local image in release workflow.
* server: Fix defer function closure escape
* tests: Test separate http port connection multiplexing
* server: Add --listen-client-http-urls flag to allow running grpc server separate from http server
* server: Pick one address that all grpc gateways connect to
* server: Extract resolveUrl helper function
* server: Separate client listener grouping from serving
* refactor: Use proper variable names for urls
* sever/auth: fix addUserWithNoOption of store_test
* server/auth: fix auth panic bug when user changes password
* Automated cherry-pick of #14860: Trigger release in current branch for github workflow case
* server/embed: fix data race when start insecure grpc
* server: Test watch restore
* mvcc: update minRev when watcher stays synced
* tests: Add v2 API to connection multiplexing test
* tests: Add connection muiltiplexer testing
* tests: Backport RunUtilCompletion
* tests: Backport tls for etcdctl
* tests: Extract e2e test utils
* tests: Allow specifying http version in curl
* tests: Refactor newClient args
* tests: Refactor CURLPrefixArgs
* Backport tls 1.3 support.
* server: Switch back to random scheduler to improve resilience to watch starvation
* test: Test etcd watch stream starvation under high read response load when sharing the same connection
* tests: Allow configuring progress notify interval in e2e tests
* Run go mod tidy
* Updated go to 1.19.7.
* Backport go_srcs_in_module changes and fix goword failures.
* Formatted source code for go 1.19.6.
* Bump to go 1.19.6
* Bump golang.org/x/net to v0.7.0 to address CVE GO-2023-1571.
* test:enhance the test case TestV3WatchProgressOnMemberRestart
* clientv3: correct the nextRev on receving progress notification response
* etcdserver: add failpoints walBeforeSync and walAfterSync
* Fix regression in timestamp resolution
* upgrade cockroachdb/datadriven to v1.0.2 to remove archived dependencies
* bump github.com/stretchr/testify to v1.8.1
* bump bbolt to v1.3.7 for release-3.5
* netutil: consistently format ipv6 addresses
* docker: remove nsswitch.conf
- Update to version 3.5.7:
* etcdserver: return membership.ErrIDNotFound when the memberID not found
* etcdserver: process the scenaro of the last WAL record being partially synced to disk
* update nsswitch.conf for 3.5
* 3.5: remove the dependency on busybox
* Remove dependency on gobin
* resolve build error: parameter may not start with quote character '
* remove .travis.yml
* format the source code and tidy the dependencies using go 1.17.13
* bump go version to 1.17.13
* deps: bump golang.org/x/net to v0.4.0 to address CVEs
* security: use distroless base image to address critical Vulnerabilities
* cidc: specify the correct branch name of release-3.5 in workflow for trivy nightly scan
* Add trivy nightly scan for release-3.5
* clientv3: revert the client side change in 14547
* client/pkg/v3: fixes Solaris build of transport
* etcdserver: fix nil pointer panic for readonly txn
* Fix go fmt error
* [3.5] Backport: non mutating requests pass through quotaKVServer when NOSPACE
* etcdserver: intentionally set the memberID as 0 in corruption alarm
- Update to version 3.5.6:
* release: build with consistent paths
* client/pkg/fileutil: add missing logger to {Create,Touch}DirAll
* test: add test case to cover the CommonName based authentication
* test: add certificate with root CommonName
* clientv3: do not refresh token when using TLS CommonName based authentication
* etcdserver: call the OnPreCommitUnsafe in unsafeCommit
* add range flag for delete in etcdctl
* server: add more context to panic message
* fix:close conn
* clientv3: fix the design & implementation of double barrier
* test: added e2e test case for issue 14571: etcd doesn't load auth info when recovering from a snapshot
* etcdserver: call refreshRangePermCache on Recover() in AuthStore. #14574
* server: add a unit test case for authStore.Reocver() with empty rangePermCache
* Backport #14591 to 3.5.
* client/v3: Add backoff before retry when watch stream returns unavailable
* etcdserver: added more debug log for the purgeFile goroutine
* netutil: make a `raw` URL comparison part of the urlsEqual function
* Apply suggestions from code review
* netutil: add url comparison without resolver to URLStringsEqual
* tests/Dockerfile: Switch to ubuntu 22.04 base
* Makefile: Additional logic fix
* *: avoid closing a watch with ID 0 incorrectly
* tests: a test case for watch with auth token expiration
* *: handle auth invalid token and old revision errors in watch
* server/etcdmain: add configurable cipher list to gRPC proxy listener
* Replace github.com/form3tech-oss/jwt-go with https://github.com/golang-jwt/jwt/v4
- Update to version 3.5.5:
* fix the flaky test fix_TestV3AuthRestartMember_20220913 for 3.5
* etcdctl: fix move-leader for multiple endpoints
* testing: fix TestOpenWithMaxIndex cleanup
* server,test: refresh cache on each NewAuthStore
* server/etcdmain: add build support for Apple M1
* tests: Fix member id in CORRUPT alarm
* server: Make corrtuption check optional and period configurable
* server: Implement compaction hash checking
* tests: Cover periodic check in tests
* server: Refactor compaction checker
* tests: Move CorruptBBolt to testutil
* tests: Rename corruptHash to CorruptBBolt
* tests: Unify TestCompactionHash and extend it to also Delete keys and Defrag
* tests: Add tests for HashByRev HTTP API
* tests: Add integration tests for compact hash
* server: Cache compaction hash for HashByRev API
* server: Extract hasher to separate interface
* server: Remove duplicated compaction revision
* server: Return revision range that hash was calcualted for
* server: Store real rv range in hasher
* server: Move adjusting revision to hasher
* server: Pass revision as int
* server: Calculate hash during compaction
* server: Fix range in mock not returning same number of keys and values
* server: Move reading KV index inside scheduleCompaction function
* server: Return error from scheduleCompaction
* server: Refactor hasher
* server: Extract kvHash struct
* server: Move unsafeHashByRev to new hash.go file
* server: Extract unsafeHashByRev function
* server: Test HashByRev values to make sure they don't change
* server: Cover corruptionMonitor with tests
* server: Extract corruption detection to dedicated struct
* server: Extract triggerCorruptAlarm to function
* move consistent_index forward when executing alarmList operation
* fix the potential data loss for clusters with only one member
* [backport 3.5] server: don't panic in readonly serializable txn
* Backport of pull/14354 to 3.5.5
* Refactor the keepAliveListener and keepAliveConn
* clientv3: close streams after use in lessor keepAliveOnce method
* Change default sampling rate from 100% to 0%
* Fix the failure in TestEndpointSwitchResolvesViolation
* update all related dependencies
* move setupTracing into a separate file config_tracing.go
* etcdserver: bump OpenTelemetry to 1.0.1
* Change default sampling rate from 100% to 0%
* server/auth: protect rangePermCache with a RW lock
* Improve error message for incorrect values of ETCD_CLIENT_DEBUG
* add e2e test cases to cover the maxConcurrentStreams
* Add flag `--max-concurrent-streams` to set the max concurrent stream each client can open at a time
* add the uint32Value data type
* Client: fix check for WithPrefix op
* client/v3: do not overwrite authTokenBundle on dial
* restrict the max size of each WAL entry to the remaining size of the file
* Add FileReader and FileBufReader utilities
* Backport two lease related bug fixes to 3.5
* scripts: Detect staged files before building release
* scripts: Avoid additional repo clone
* Make DRY_RUN explicit
* scripts: Add tests for release scripts
* server/auth: enable tokenProvider if recoved store enables auth
* Update golang.org/x/crypto to latest
- Update to version 3.5.4:
* Update conssitent_index when applying fails
* Add unit test for canonical SRV records
* Revert 'trim the suffix dot from the srv.Target for etcd-client DNS lookup'
- add variable ETCD_OPTIONS to both service unit and configuration file
this allows the user to easily add things like '--enable-v2=true'
- Update to version 3.5.3:
https://github.com/etcd-io/etcd/compare/v3.5.2...v3.5.3
* clientv3: disable mirror auth test with proxy
* cv3/mirror: Fetch the most recent prefix revision
* set backend to cindex before recovering the lessor in applySnapshot
* support linearizable renew lease
* clientv3: filter learners members during autosync
* etcdserver: upgrade the golang.org/x/crypto dependency
* fix the data inconsistency issue by adding a txPostLockHook into the backend
* server: Save consistency index and term to backend even when they decrease
* server: Add verification of whether lock was called within out outside of apply
* go.mod: Upgrade to prometheus/client_golang v1.11.1
* server: Use default logging configuration instead of zap production one
* Fix offline defrag
* backport 3.5: #13676 load all leases from backend
* server/storage/backend: restore original bolt db options after defrag
* always print raft term in decimal when displaying member list in json
* enhance health check endpoint to support serializable request
* trim the suffix dot from the srv.Target for etcd-client DNS lookup
- Drop ETCD_UNSUPPORTED_ARCH=arm64 from sysconfig as ARM64 is now officially supported
- Update etcd.conf variables
- Add the new etcdutl into separate subpackage
- Update to version 3.5.2:
* Update dep: require gopkg.in/yaml.v2 v2.2.8 -> v2.4.0 due to: CVE-2019-11254.
* fix runlock bug
* server: Require either cluster version v3.6 or --experimental-enable-lease-checkpoint-persist to persist lease remainingTTL
* etcdserver,integration: Store remaining TTL on checkpoint
* lease,integration: add checkpoint scheduling after leader change
* set the backend again after recovering v3 backend from snapshot
* *: implement a retry logic for auth old revision in the client
* client/v3: refresh the token when ErrUserEmpty is received while retrying
* server/etcdserver/api/etcdhttp: exclude the same alarm type activated by multiple peers
* storage/backend: Add a gauge to indicate if defrag is active (backport from 3.6)
- Update to version 3.5.1:
* version: 3.5.1
* Dockerfile: bump debian bullseye-20210927
* client: Use first endpoint as http2 authority header
* tests: Add grpc authority e2e tests
* client: Add grpc authority header integration tests
* tests: Allow configuring integration tests to use TCP
* test: Use unique number for grpc port
* tests: Cleanup member interface by exposing Bridge directly
* tests: Make using bridge optional
* tests: Rename grpcAddr to grpcURL to imply that it includes schema
* tests: Remove bridge dependency on unix
* Decouple prefixArgs from os.Env dependency
* server: Ensure that adding and removing members handle storev2 and backend out of sync
* Stop using tip golang version in CI
* fix self-signed-cert-validity parameter cannot be specified in the config file
* fix health endpoint not usable when authentication is enabled
* workflows: remove ARM64 job for maintenance
- Update to version 3.5.0:
* See link below, diff is too big
https://github.com/etcd-io/etcd/compare/v3.4.16...v3.5.0
- Added hardening to systemd service(s) (boo#1181400)
- Change to sysuser-tools to create system user
- Update to version 3.4.16:
* Backport-3.4 exclude alarms from health check conditionally
* etcdserver/mvcc: update trace.Step condition
* Backport-3.4 etcdserver/util.go: reduce memory when logging range requests
* .travis,Makefile,functional: Bump go 1.12 version to v1.12.17
* integration: Fix 'go test --tags cluster_proxy --timeout=30m -v ./integration/...'
* pkg/tlsutil: Adjust cipher suites for go 1.12
* Fix pkg/tlsutil (test) to not fail on 386.
* bill-of-materials.json: Update golang.org/x/sys
* .travis,test: Turn race off in Travis for go version 1.15
* integration : fix TestTLSClientCipherSuitesMismatch in go1.13
* vendor: Run go mod vendor
* go.mod,go.sum: Bump github.com/creack/pty that includes patch
* go.mod,go.sum: Comply with go v1.15
* etcdserver,wal: Convert int to string using rune()
* integration,raft,tests: Comply with go v1.15 gofmt
* .travis.yml: Test with go v1.15.11
* pkpkg/testutil/leak.go: Allowlist created by testing.runTests.func1
* vendor: Run go mod vendor
* go.sum, go.mod: Run go mod tidy with go 1.12
* go.mod: Pin go to 1.12 version
* etcdserver: fix incorrect metrics generated when clients cancel watches
* integration: relax leader timeout from 3s to 4s
* etcdserver: when using --unsafe-no-fsync write data
* server: Added config parameter experimental-warning-apply-duration
* etcdserver: Fix PeerURL validation
- update etcd.service: avoid args from commandline and environment
as it leads to start failure (boo#1183703)
- Update to version 3.4.15:
* [Backport-3.4] etcdserver/api/etcdhttp: log successful etcd server side health check in debug level
* etcdserver: Fix 64 KB websocket notification message limit
* vendor: bump gorilla/websocket
* pkg/fileutil: fix F_OFD_ constants
- Update to version 3.4.14:
* pkg/netutil: remove unused 'iptables' wrapper
* tools/etcd-dump-metrics: validate exec cmd args
* clientv3: get AuthToken automatically when clientConn is ready.
* etcdserver: add ConfChangeAddLearnerNode to the list of config changes
* integration: add flag WatchProgressNotifyInterval in integration test
- Update to version 3.4.13:
* pkg: file stat warning
* Automated cherry pick of #12243 on release 3.4
* version: 3.4.12
* etcdserver: Avoid panics logging slow v2 requests in integration tests
* version: 3.4.11
* Revert 'etcdserver/api/v3rpc: 'MemberList' never return non-empty ClientURLs'
* *: fix backport of PR12216
* *: add experimental flag for watch notify interval
* clientv3: remove excessive watch cancel logging
* etcdserver: add OS level FD metrics
* pkg/runtime: optimize FDUsage by removing sort
* clientv3: log warning in case of error sending request
* etcdserver/api/v3rpc: 'MemberList' never return non-empty ClientURLs
- Update to version 3.4.10 [CVE-2020-15106][boo#1174951]:
* Documentation: note on data encryption
* etcdserver: change protobuf field type from int to int64 (#12000)
* pkg: consider umask when use MkdirAll
* etcdmain: let grpc proxy warn about insecure-skip-tls-verify
* etcdmain: fix shadow error
* pkg/fileutil: print desired file permission in error log
* pkg: Fix dir permission check on Windows
* auth: Customize simpleTokenTTL settings.
* mvcc: chanLen 1024 is to biger,and it used more memory. 128 seems to be enough. Sometimes the consumption speed is more than the production speed.
* auth: return incorrect result 'ErrUserNotFound' when client request without username or username was empty.
* etcdmain: fix shadow error
* doc: add TLS related warnings
* etcdserver:FDUsage set ticker to 10 minute from 5 seconds. This ticker will check File Descriptor Requirements ,and count all fds in used. And recorded some logs when in used >= limit/5*4. Just recorded message. If fds was more than 10K,It's low performance due to FDUsage() works. So need to increase it.
* clientv3: cancel watches proactively on client context cancellation
* wal: check out of range slice in 'ReadAll', 'decoder'
* etcdctl, etcdmain: warn about --insecure-skip-tls-verify options
* Documentation: note on the policy of insecure by default
* etcdserver: don't let InternalAuthenticateRequest have password
* auth: a new error code for the case of password auth against no password user
* Documentation: note on password strength
* etcdmain: best effort detection of self pointing in tcp proxy
* Discovery: do not allow passing negative cluster size
* wal: fix panic when decoder not set
* embed: fix compaction runtime err
* pkg: check file stats
* etcdserver, et al: add --unsafe-no-fsync flag
* wal: add TestValidSnapshotEntriesAfterPurgeWal testcase
* wal: fix crc mismatch crash bug
* rafthttp: log snapshot download duration
* rafthttp: improve snapshot send logging
* *: make sure snapshot save downloads SHA256 checksum
* etcdserver/api/snap: exclude orphaned defragmentation files in snapNames
* etcdserver: continue releasing snap db in case of error
* etcdserver,wal: fix inconsistencies in WAL and snapshot
* cherry pick of #11564 (#11880)
* mvcc: fix deadlock bug
* auth: optimize lock scope for CheckPassword
* auth: ensure RoleGrantPermission is compatible with older versions
* etcdserver: print warn log when failed to apply request
* auth: cleanup saveConsistentIndex in NewAuthStore
* auth: print warning log when error is ErrAuthOldRevision
* auth: add new metric 'etcd_debugging_auth_revision'
* tools/etcd-dump-db: add auth decoder, optimize print format
* *: fix auth revision corruption bug
* etcdserver: watch stream got closed once one request is not permitted (#11708)
* version: 3.4.7
* wal: add 'etcd_wal_writes_bytes_total'
* pkg/ioutil: add 'FlushN'
* test: auto detect branch when finding merge base
* mvcc/kvstore:when the number key-value is greater than one million, compact take too long and blocks other requests
* version: 3.4.6
* lease: fix memory leak in LeaseGrant when node is follower
* version: 3.4.5
* words: whitelist 'racey'
* Revert 'version: 3.4.5'
* words: whitelist 'hasleader'
* version: 3.4.5
* etcdserver/api/v3rpc: handle api version metadata, add metrics
* clientv3: embed api version in metadata
* etcdserver/api/etcdhttp: log server-side /health checks
* proxy/grpcproxy: add return on error for metrics handler
* etcdctl: fix member add command
* etcdserver: fix quorum calculation when promoting a learner member
* etcdserver: corruption check via http
* mvcc/backend: check for nil boltOpenOptions
* mvcc/backend: Delete orphaned db.tmp files before defrag
* auth: correct logging level
* e2e: test curl auth on onoption user
* auth: fix NoPassWord check when add user
* auth: fix user.Options nil pointer
* mvcc/kvstore:fixcompactbug
* mvcc: update to 'etcd_debugging_mvcc_total_put_size_in_bytes'
* mvcc: add 'etcd_mvcc_put_size_in_bytes' to monitor the throughput of put request.
* clientv3: fix retry/streamer error message
* etcdserver: wait purge file loop during shutdown
* integration: disable TestV3AuthOldRevConcurrent
* etcdserver: remove auth validation loop
* scripts/release: list GPG key only when tagging is needed
Patchnames
openSUSE-2025-3
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for etcd",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for etcd fixes the following issues:\n\nUpdate to version 3.5.12:\n\n * Bump golang.org/x/crypto to v0.17+ to address CVE-2023-48795\n * test: fix TestHashKVWhenCompacting: ensure all goroutine finished\n * print error log when creating peer listener failed\n * mvcc: Printing etcd backend database related metrics inside scheduleCompaction function\n * dependency: update go version to 1.20.13\n * commit bbolt transaction if there is any pending deleting operations\n * add tests to test tx delete consistency.\n * Don\u0027t flock snapshot files\n * Backport adding digest for etcd base image.\n * Add a unit tests and missing flags in etcd help.\n * Add missing flag in etcd help.\n * Backport testutils.ExecuteUntil to 3.5 branch\n * member replace e2e test\n * Check if be is nil to avoid panic when be is overriden with nil by recoverSnapshotBackend on line 517\n * Don\u0027t redeclare err and snapshot variable, fixing validation of consistent index and closing database on defer\n * test: enable gofail in release e2e test.\n * [3.5] backport health check e2e tests.\n * tests: Extract e2e cluster setup to separate package\n\n- Update to version 3.5.11:\n\n * etcdserver: add linearizable_read check to readyz.\n * etcd: Update go version to 1.20.12\n * server: disable redirects in peer communication\n * etcdserver: add metric counters for livez/readyz health checks.\n * etcdserver: add livez and ready http endpoints for etcd.\n * http health check bug fixes\n * server: Split metrics and health code\n * server: Cover V3 health with tests\n * server: Refactor health checks\n * server: Run health check tests in subtests\n * server: Rename test case expect fields\n * server: Use named struct initialization in healthcheck test\n * Backport server: Don\u0027t follow redirects when checking peer urls.\n * Backport embed: Add tracing integration test.\n * Backport server: Have tracingExporter own resources it initialises.\n * Backport server: Add sampling rate to distributed tracing.\n * upgrade github.com/stretchr/testify,google.golang.org/genproto/googleapis/api,google.golang.org/grpc to make it consistent\n * CVE-2023-47108: Backport go.opentelemetry.io/otel@v1.20.0 and go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.46.0\n * github workflow: run arm64 tests on every push\n * etcd: upgrade go version from 1.20.10 to 1.20.11\n * bump bbolt to 1.3.8 for etcd 3.5\n * 3.5: upgrade gRPC-go to 1.58.3\n * Backport corrupt check test fix \u0027etcd server shouldn\u0027t wait for the ready notification infinitely on startup\u0027\n * etcdserver: add cluster id check for hashKVHandler\n * [release-3.5]: upgrade gRPC-go to v1.52.0\n * backport #14125 to release-3.5: Update to grpc-1.47 (and fix the connection-string format)\n * Return to default write scheduler since golang.org/x/net@v0.11.0 started using round robin\n * Bump go to v1.20.10 Part of https://github.com/etcd-io/etcd/issues/16740\n * bump golang.org/x/net to 0.17.0 Part of https://github.com/etcd-io/etcd/issues/16740\n * etcd: upgrade go version to 1.20.9\n * Remove obsolete http 1.0 version.\n * fix:Ensure that go version is only defined in one file for release-3.5\n * Fix panic in etcd validate secure endpoints\n * dependency: bump golang to 1.20.8\n * Backport redirect metrics data into file to reduce output.\n * test.sh: increase timeout for grpcproxy test\n * test: add v3 curl test to cover maintenance hash/hashkv REST API\n * api: fix duplicate gateway url issue\n * pkg: add a verification on the pagebytes which must be \u003e 0\n * tests: Backport deflake for TestWatchDelay\n * tests: Backport deflake for TestPageWriterRandom\n * Backport adding unit test for socket options.\n * Backport export reuse-port and reuse-address\n * Fix goword failure in rafthttp/transport.go.\n * Backport update to golang 1.20 minor release.\n * bump go version to 1.19.12\n * Update workflows to use makefile recipes for unit, integration \u0026 e2e-release.\n * Backport Makefile recipes for common test commands.\n * pkg/flags: fix UniqueURLs\u0027Set to remove duplicates in UniqueURLs\u0027uss\n * Backport fix to e2e release version identifcation.\n * Backport #14368 to v3.5\n * Follow up https://github.com/etcd-io/etcd/pull/16068#discussion_r1263667496\n * etcdserver: backport check scheduledCompactKeyName and finishedCompactKeyName before writing hash to release-3.5.\n * Backport #13577 Disable auth gracefully without impacting existing watchers.\n * bump go version to 1.19.11 to fix CVE GO-2023-1878\n * clientv3: create keepAliveCtxCloser goroutine only if ctx can be canceled\n * [3.5] etcdutl: fix db double closed\n * clientv3: remove v3.WithFirstKey() in Barrier.Wait()\n * update etcdctl flag description for snapshot restores\n * etcdutl: update description for --mark-compacted and --bump-revision flags in snapshot restore command\n * Adding optional revision bump and mark compacted to snapshot restore\n * Revert \u0027Merge pull request #16119 from natusameer/release-3.5\u0027\n * Add e2e-arm64.yaml and tests-arm64.yaml to release-3.5 scheduled at 1.30\n * Backport .github/workflows: Read .go-version as a step and not separate workflow.\n * Add first unit test for authApplierV3\n * Early exit auth check on lease puts\n * remove stack log when etcdutl restore\n * etcdserver: fix corruption check when server has just been compacted\n * replace gobin with go install\n * [3.5] Backport updating go to latest patch release 1.19.10\n * add compact hash check to help\n * Fix test of clientv3/naming\n * clientv3/naming/endpoints: fix endpoints prefix bug fixes bug with multiple endpoints with same prefix\n * grpcproxy: fix memberlist results not update when proxy node down\n\n- Update to version 3.5.9:\n\n * Move go version to dedicated .go-version file\n * tests: e2e and integration test for timetolive\n * etcdserver: protect lease timetilive with auth\n * Backport go update to latest patch release 1.19.9.\n * Backport centralising go version for actions workflows.\n * server: backport 15743, improved description of --initial-cluster-state flag\n\n- Update to version 3.5.8:\n\n * etcdserver: Guarantee order of requested progress notifications\n * etcdserver: verify field \u0027username\u0027 and \u0027revision\u0027 present when decoding a JWT token\n * set zap logging to wsproxy\n * security: remove password after authenticating the user\n * test: add an e2e test to reproduce https://nvd.nist.gov/vuln/detail/CVE-2021-28235\n * bump golang to 1.19.8\n * server/auth: disallow creating empty permission ranges\n * chore: enable strict mode for test CI\n * Fixes: #15266 All docker images of Architecture show amd64\n * scripts: Add testing of etcd in local image in release workflow.\n * server: Fix defer function closure escape\n * tests: Test separate http port connection multiplexing\n * server: Add --listen-client-http-urls flag to allow running grpc server separate from http server\n * server: Pick one address that all grpc gateways connect to\n * server: Extract resolveUrl helper function\n * server: Separate client listener grouping from serving\n * refactor: Use proper variable names for urls\n * sever/auth: fix addUserWithNoOption of store_test\n * server/auth: fix auth panic bug when user changes password\n * Automated cherry-pick of #14860: Trigger release in current branch for github workflow case\n * server/embed: fix data race when start insecure grpc\n * server: Test watch restore\n * mvcc: update minRev when watcher stays synced\n * tests: Add v2 API to connection multiplexing test\n * tests: Add connection muiltiplexer testing\n * tests: Backport RunUtilCompletion\n * tests: Backport tls for etcdctl\n * tests: Extract e2e test utils\n * tests: Allow specifying http version in curl\n * tests: Refactor newClient args\n * tests: Refactor CURLPrefixArgs\n * Backport tls 1.3 support.\n * server: Switch back to random scheduler to improve resilience to watch starvation\n * test: Test etcd watch stream starvation under high read response load when sharing the same connection\n * tests: Allow configuring progress notify interval in e2e tests\n * Run go mod tidy\n * Updated go to 1.19.7.\n * Backport go_srcs_in_module changes and fix goword failures.\n * Formatted source code for go 1.19.6.\n * Bump to go 1.19.6\n * Bump golang.org/x/net to v0.7.0 to address CVE GO-2023-1571.\n * test:enhance the test case TestV3WatchProgressOnMemberRestart\n * clientv3: correct the nextRev on receving progress notification response\n * etcdserver: add failpoints walBeforeSync and walAfterSync\n * Fix regression in timestamp resolution\n * upgrade cockroachdb/datadriven to v1.0.2 to remove archived dependencies\n * bump github.com/stretchr/testify to v1.8.1\n * bump bbolt to v1.3.7 for release-3.5\n * netutil: consistently format ipv6 addresses\n * docker: remove nsswitch.conf\n\n- Update to version 3.5.7:\n\n * etcdserver: return membership.ErrIDNotFound when the memberID not found\n * etcdserver: process the scenaro of the last WAL record being partially synced to disk\n * update nsswitch.conf for 3.5\n * 3.5: remove the dependency on busybox\n * Remove dependency on gobin\n * resolve build error: parameter may not start with quote character \u0027\n * remove .travis.yml\n * format the source code and tidy the dependencies using go 1.17.13\n * bump go version to 1.17.13\n * deps: bump golang.org/x/net to v0.4.0 to address CVEs\n * security: use distroless base image to address critical Vulnerabilities\n * cidc: specify the correct branch name of release-3.5 in workflow for trivy nightly scan\n * Add trivy nightly scan for release-3.5\n * clientv3: revert the client side change in 14547\n * client/pkg/v3: fixes Solaris build of transport\n * etcdserver: fix nil pointer panic for readonly txn\n * Fix go fmt error\n * [3.5] Backport: non mutating requests pass through quotaKVServer when NOSPACE\n * etcdserver: intentionally set the memberID as 0 in corruption alarm\n \n- Update to version 3.5.6:\n\n * release: build with consistent paths\n * client/pkg/fileutil: add missing logger to {Create,Touch}DirAll\n * test: add test case to cover the CommonName based authentication\n * test: add certificate with root CommonName\n * clientv3: do not refresh token when using TLS CommonName based authentication\n * etcdserver: call the OnPreCommitUnsafe in unsafeCommit\n * add range flag for delete in etcdctl\n * server: add more context to panic message\n * fix:close conn\n * clientv3: fix the design \u0026 implementation of double barrier\n * test: added e2e test case for issue 14571: etcd doesn\u0027t load auth info when recovering from a snapshot\n * etcdserver: call refreshRangePermCache on Recover() in AuthStore. #14574\n * server: add a unit test case for authStore.Reocver() with empty rangePermCache\n * Backport #14591 to 3.5.\n * client/v3: Add backoff before retry when watch stream returns unavailable\n * etcdserver: added more debug log for the purgeFile goroutine\n * netutil: make a `raw` URL comparison part of the urlsEqual function\n * Apply suggestions from code review\n * netutil: add url comparison without resolver to URLStringsEqual\n * tests/Dockerfile: Switch to ubuntu 22.04 base\n * Makefile: Additional logic fix\n * *: avoid closing a watch with ID 0 incorrectly\n * tests: a test case for watch with auth token expiration\n * *: handle auth invalid token and old revision errors in watch\n * server/etcdmain: add configurable cipher list to gRPC proxy listener\n * Replace github.com/form3tech-oss/jwt-go with https://github.com/golang-jwt/jwt/v4\n\n- Update to version 3.5.5:\n\n * fix the flaky test fix_TestV3AuthRestartMember_20220913 for 3.5\n * etcdctl: fix move-leader for multiple endpoints\n * testing: fix TestOpenWithMaxIndex cleanup\n * server,test: refresh cache on each NewAuthStore\n * server/etcdmain: add build support for Apple M1\n * tests: Fix member id in CORRUPT alarm\n * server: Make corrtuption check optional and period configurable\n * server: Implement compaction hash checking\n * tests: Cover periodic check in tests\n * server: Refactor compaction checker\n * tests: Move CorruptBBolt to testutil\n * tests: Rename corruptHash to CorruptBBolt\n * tests: Unify TestCompactionHash and extend it to also Delete keys and Defrag\n * tests: Add tests for HashByRev HTTP API\n * tests: Add integration tests for compact hash\n * server: Cache compaction hash for HashByRev API\n * server: Extract hasher to separate interface\n * server: Remove duplicated compaction revision\n * server: Return revision range that hash was calcualted for\n * server: Store real rv range in hasher\n * server: Move adjusting revision to hasher\n * server: Pass revision as int\n * server: Calculate hash during compaction\n * server: Fix range in mock not returning same number of keys and values\n * server: Move reading KV index inside scheduleCompaction function\n * server: Return error from scheduleCompaction\n * server: Refactor hasher\n * server: Extract kvHash struct\n * server: Move unsafeHashByRev to new hash.go file\n * server: Extract unsafeHashByRev function\n * server: Test HashByRev values to make sure they don\u0027t change\n * server: Cover corruptionMonitor with tests\n * server: Extract corruption detection to dedicated struct\n * server: Extract triggerCorruptAlarm to function\n * move consistent_index forward when executing alarmList operation\n * fix the potential data loss for clusters with only one member\n * [backport 3.5] server: don\u0027t panic in readonly serializable txn\n * Backport of pull/14354 to 3.5.5\n * Refactor the keepAliveListener and keepAliveConn\n * clientv3: close streams after use in lessor keepAliveOnce method\n * Change default sampling rate from 100% to 0%\n * Fix the failure in TestEndpointSwitchResolvesViolation\n * update all related dependencies\n * move setupTracing into a separate file config_tracing.go\n * etcdserver: bump OpenTelemetry to 1.0.1\n * Change default sampling rate from 100% to 0%\n * server/auth: protect rangePermCache with a RW lock\n * Improve error message for incorrect values of ETCD_CLIENT_DEBUG\n * add e2e test cases to cover the maxConcurrentStreams\n * Add flag `--max-concurrent-streams` to set the max concurrent stream each client can open at a time\n * add the uint32Value data type\n * Client: fix check for WithPrefix op\n * client/v3: do not overwrite authTokenBundle on dial\n * restrict the max size of each WAL entry to the remaining size of the file\n * Add FileReader and FileBufReader utilities\n * Backport two lease related bug fixes to 3.5\n * scripts: Detect staged files before building release\n * scripts: Avoid additional repo clone\n * Make DRY_RUN explicit\n * scripts: Add tests for release scripts\n * server/auth: enable tokenProvider if recoved store enables auth\n * Update golang.org/x/crypto to latest\n\n- Update to version 3.5.4:\n\n * Update conssitent_index when applying fails\n * Add unit test for canonical SRV records\n * Revert \u0027trim the suffix dot from the srv.Target for etcd-client DNS lookup\u0027\n\n- add variable ETCD_OPTIONS to both service unit and configuration file\n this allows the user to easily add things like \u0027--enable-v2=true\u0027\n\n- Update to version 3.5.3:\n\n https://github.com/etcd-io/etcd/compare/v3.5.2...v3.5.3\n * clientv3: disable mirror auth test with proxy\n * cv3/mirror: Fetch the most recent prefix revision\n * set backend to cindex before recovering the lessor in applySnapshot\n * support linearizable renew lease\n * clientv3: filter learners members during autosync\n * etcdserver: upgrade the golang.org/x/crypto dependency\n * fix the data inconsistency issue by adding a txPostLockHook into the backend\n * server: Save consistency index and term to backend even when they decrease\n * server: Add verification of whether lock was called within out outside of apply\n * go.mod: Upgrade to prometheus/client_golang v1.11.1\n * server: Use default logging configuration instead of zap production one\n * Fix offline defrag\n * backport 3.5: #13676 load all leases from backend\n * server/storage/backend: restore original bolt db options after defrag\n * always print raft term in decimal when displaying member list in json\n * enhance health check endpoint to support serializable request\n * trim the suffix dot from the srv.Target for etcd-client DNS lookup\n\n- Drop ETCD_UNSUPPORTED_ARCH=arm64 from sysconfig as ARM64 is now officially supported\n- Update etcd.conf variables\n- Add the new etcdutl into separate subpackage\n\n- Update to version 3.5.2:\n\n * Update dep: require gopkg.in/yaml.v2 v2.2.8 -\u003e v2.4.0 due to: CVE-2019-11254.\n * fix runlock bug\n * server: Require either cluster version v3.6 or --experimental-enable-lease-checkpoint-persist to persist lease remainingTTL\n * etcdserver,integration: Store remaining TTL on checkpoint\n * lease,integration: add checkpoint scheduling after leader change\n * set the backend again after recovering v3 backend from snapshot\n * *: implement a retry logic for auth old revision in the client\n * client/v3: refresh the token when ErrUserEmpty is received while retrying\n * server/etcdserver/api/etcdhttp: exclude the same alarm type activated by multiple peers\n * storage/backend: Add a gauge to indicate if defrag is active (backport from 3.6)\n\n- Update to version 3.5.1:\n\n * version: 3.5.1\n * Dockerfile: bump debian bullseye-20210927\n * client: Use first endpoint as http2 authority header\n * tests: Add grpc authority e2e tests\n * client: Add grpc authority header integration tests\n * tests: Allow configuring integration tests to use TCP\n * test: Use unique number for grpc port\n * tests: Cleanup member interface by exposing Bridge directly\n * tests: Make using bridge optional\n * tests: Rename grpcAddr to grpcURL to imply that it includes schema\n * tests: Remove bridge dependency on unix\n * Decouple prefixArgs from os.Env dependency\n * server: Ensure that adding and removing members handle storev2 and backend out of sync\n * Stop using tip golang version in CI\n * fix self-signed-cert-validity parameter cannot be specified in the config file\n * fix health endpoint not usable when authentication is enabled\n * workflows: remove ARM64 job for maintenance\n\n- Update to version 3.5.0:\n\n * See link below, diff is too big\n https://github.com/etcd-io/etcd/compare/v3.4.16...v3.5.0\n\n- Added hardening to systemd service(s) (boo#1181400)\n\n- Change to sysuser-tools to create system user\n\n- Update to version 3.4.16:\n\n * Backport-3.4 exclude alarms from health check conditionally\n * etcdserver/mvcc: update trace.Step condition\n * Backport-3.4 etcdserver/util.go: reduce memory when logging range requests\n * .travis,Makefile,functional: Bump go 1.12 version to v1.12.17\n * integration: Fix \u0027go test --tags cluster_proxy --timeout=30m -v ./integration/...\u0027\n * pkg/tlsutil: Adjust cipher suites for go 1.12\n * Fix pkg/tlsutil (test) to not fail on 386.\n * bill-of-materials.json: Update golang.org/x/sys\n * .travis,test: Turn race off in Travis for go version 1.15\n * integration : fix TestTLSClientCipherSuitesMismatch in go1.13\n * vendor: Run go mod vendor\n * go.mod,go.sum: Bump github.com/creack/pty that includes patch\n * go.mod,go.sum: Comply with go v1.15\n * etcdserver,wal: Convert int to string using rune()\n * integration,raft,tests: Comply with go v1.15 gofmt\n * .travis.yml: Test with go v1.15.11\n * pkpkg/testutil/leak.go: Allowlist created by testing.runTests.func1\n * vendor: Run go mod vendor\n * go.sum, go.mod: Run go mod tidy with go 1.12\n * go.mod: Pin go to 1.12 version\n * etcdserver: fix incorrect metrics generated when clients cancel watches\n * integration: relax leader timeout from 3s to 4s\n * etcdserver: when using --unsafe-no-fsync write data\n * server: Added config parameter experimental-warning-apply-duration\n * etcdserver: Fix PeerURL validation\n\n- update etcd.service: avoid args from commandline and environment\n as it leads to start failure (boo#1183703) \n\n- Update to version 3.4.15:\n\n * [Backport-3.4] etcdserver/api/etcdhttp: log successful etcd server side health check in debug level\n * etcdserver: Fix 64 KB websocket notification message limit\n * vendor: bump gorilla/websocket\n * pkg/fileutil: fix F_OFD_ constants\n\n- Update to version 3.4.14:\n\n * pkg/netutil: remove unused \u0027iptables\u0027 wrapper\n * tools/etcd-dump-metrics: validate exec cmd args\n * clientv3: get AuthToken automatically when clientConn is ready.\n * etcdserver: add ConfChangeAddLearnerNode to the list of config changes\n * integration: add flag WatchProgressNotifyInterval in integration test\n\n- Update to version 3.4.13:\n\n * pkg: file stat warning\n * Automated cherry pick of #12243 on release 3.4\n * version: 3.4.12\n * etcdserver: Avoid panics logging slow v2 requests in integration tests\n * version: 3.4.11\n * Revert \u0027etcdserver/api/v3rpc: \u0027MemberList\u0027 never return non-empty ClientURLs\u0027\n * *: fix backport of PR12216\n * *: add experimental flag for watch notify interval\n * clientv3: remove excessive watch cancel logging\n * etcdserver: add OS level FD metrics\n * pkg/runtime: optimize FDUsage by removing sort\n * clientv3: log warning in case of error sending request\n * etcdserver/api/v3rpc: \u0027MemberList\u0027 never return non-empty ClientURLs\n\n- Update to version 3.4.10 [CVE-2020-15106][boo#1174951]:\n\n * Documentation: note on data encryption\n * etcdserver: change protobuf field type from int to int64 (#12000)\n * pkg: consider umask when use MkdirAll\n * etcdmain: let grpc proxy warn about insecure-skip-tls-verify\n * etcdmain: fix shadow error\n * pkg/fileutil: print desired file permission in error log\n * pkg: Fix dir permission check on Windows\n * auth: Customize simpleTokenTTL settings.\n * mvcc: chanLen 1024 is to biger,and it used more memory. 128 seems to be enough. Sometimes the consumption speed is more than the production speed.\n * auth: return incorrect result \u0027ErrUserNotFound\u0027 when client request without username or username was empty.\n * etcdmain: fix shadow error\n * doc: add TLS related warnings\n * etcdserver:FDUsage set ticker to 10 minute from 5 seconds. This ticker will check File Descriptor Requirements ,and count all fds in used. And recorded some logs when in used \u003e= limit/5*4. Just recorded message. If fds was more than 10K,It\u0027s low performance due to FDUsage() works. So need to increase it.\n * clientv3: cancel watches proactively on client context cancellation\n * wal: check out of range slice in \u0027ReadAll\u0027, \u0027decoder\u0027\n * etcdctl, etcdmain: warn about --insecure-skip-tls-verify options\n * Documentation: note on the policy of insecure by default\n * etcdserver: don\u0027t let InternalAuthenticateRequest have password\n * auth: a new error code for the case of password auth against no password user\n * Documentation: note on password strength\n * etcdmain: best effort detection of self pointing in tcp proxy\n * Discovery: do not allow passing negative cluster size\n * wal: fix panic when decoder not set\n * embed: fix compaction runtime err\n * pkg: check file stats\n * etcdserver, et al: add --unsafe-no-fsync flag\n * wal: add TestValidSnapshotEntriesAfterPurgeWal testcase\n * wal: fix crc mismatch crash bug\n * rafthttp: log snapshot download duration\n * rafthttp: improve snapshot send logging\n * *: make sure snapshot save downloads SHA256 checksum\n * etcdserver/api/snap: exclude orphaned defragmentation files in snapNames\n * etcdserver: continue releasing snap db in case of error\n * etcdserver,wal: fix inconsistencies in WAL and snapshot\n * cherry pick of #11564 (#11880)\n * mvcc: fix deadlock bug\n * auth: optimize lock scope for CheckPassword\n * auth: ensure RoleGrantPermission is compatible with older versions\n * etcdserver: print warn log when failed to apply request\n * auth: cleanup saveConsistentIndex in NewAuthStore\n * auth: print warning log when error is ErrAuthOldRevision\n * auth: add new metric \u0027etcd_debugging_auth_revision\u0027\n * tools/etcd-dump-db: add auth decoder, optimize print format\n * *: fix auth revision corruption bug\n * etcdserver: watch stream got closed once one request is not permitted (#11708)\n * version: 3.4.7\n * wal: add \u0027etcd_wal_writes_bytes_total\u0027\n * pkg/ioutil: add \u0027FlushN\u0027\n * test: auto detect branch when finding merge base\n * mvcc/kvstore:when the number key-value is greater than one million, compact take too long and blocks other requests\n * version: 3.4.6\n * lease: fix memory leak in LeaseGrant when node is follower\n * version: 3.4.5\n * words: whitelist \u0027racey\u0027\n * Revert \u0027version: 3.4.5\u0027\n * words: whitelist \u0027hasleader\u0027\n * version: 3.4.5\n * etcdserver/api/v3rpc: handle api version metadata, add metrics\n * clientv3: embed api version in metadata\n * etcdserver/api/etcdhttp: log server-side /health checks\n * proxy/grpcproxy: add return on error for metrics handler\n * etcdctl: fix member add command\n * etcdserver: fix quorum calculation when promoting a learner member\n * etcdserver: corruption check via http\n * mvcc/backend: check for nil boltOpenOptions\n * mvcc/backend: Delete orphaned db.tmp files before defrag\n * auth: correct logging level\n * e2e: test curl auth on onoption user\n * auth: fix NoPassWord check when add user\n * auth: fix user.Options nil pointer\n * mvcc/kvstore:fixcompactbug\n * mvcc: update to \u0027etcd_debugging_mvcc_total_put_size_in_bytes\u0027\n * mvcc: add \u0027etcd_mvcc_put_size_in_bytes\u0027 to monitor the throughput of put request.\n * clientv3: fix retry/streamer error message\n * etcdserver: wait purge file loop during shutdown\n * integration: disable TestV3AuthOldRevConcurrent\n * etcdserver: remove auth validation loop\n * scripts/release: list GPG key only when tagging is needed\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2025-3",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0003-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:0003-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PE3D4WEFUCELLDKJUEM2KLPFMME7KTAI/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:0003-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PE3D4WEFUCELLDKJUEM2KLPFMME7KTAI/"
},
{
"category": "self",
"summary": "SUSE Bug 1174951",
"url": "https://bugzilla.suse.com/1174951"
},
{
"category": "self",
"summary": "SUSE Bug 1181400",
"url": "https://bugzilla.suse.com/1181400"
},
{
"category": "self",
"summary": "SUSE Bug 1183703",
"url": "https://bugzilla.suse.com/1183703"
},
{
"category": "self",
"summary": "SUSE Bug 1199031",
"url": "https://bugzilla.suse.com/1199031"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-11254 page",
"url": "https://www.suse.com/security/cve/CVE-2019-11254/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15106 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15106/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28235 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28235/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-47108 page",
"url": "https://www.suse.com/security/cve/CVE-2023-47108/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-48795 page",
"url": "https://www.suse.com/security/cve/CVE-2023-48795/"
}
],
"title": "Security update for etcd",
"tracking": {
"current_release_date": "2025-01-07T15:04:12Z",
"generator": {
"date": "2025-01-07T15:04:12Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:0003-1",
"initial_release_date": "2025-01-07T15:04:12Z",
"revision_history": [
{
"date": "2025-01-07T15:04:12Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.12-bp156.4.3.1.aarch64",
"product": {
"name": "etcd-3.5.12-bp156.4.3.1.aarch64",
"product_id": "etcd-3.5.12-bp156.4.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.12-bp156.4.3.1.aarch64",
"product": {
"name": "etcdctl-3.5.12-bp156.4.3.1.aarch64",
"product_id": "etcdctl-3.5.12-bp156.4.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.12-bp156.4.3.1.aarch64",
"product": {
"name": "etcdutl-3.5.12-bp156.4.3.1.aarch64",
"product_id": "etcdutl-3.5.12-bp156.4.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.12-bp156.4.3.1.ppc64le",
"product": {
"name": "etcd-3.5.12-bp156.4.3.1.ppc64le",
"product_id": "etcd-3.5.12-bp156.4.3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"product": {
"name": "etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"product_id": "etcdctl-3.5.12-bp156.4.3.1.ppc64le"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"product": {
"name": "etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"product_id": "etcdutl-3.5.12-bp156.4.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.12-bp156.4.3.1.s390x",
"product": {
"name": "etcd-3.5.12-bp156.4.3.1.s390x",
"product_id": "etcd-3.5.12-bp156.4.3.1.s390x"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.12-bp156.4.3.1.s390x",
"product": {
"name": "etcdctl-3.5.12-bp156.4.3.1.s390x",
"product_id": "etcdctl-3.5.12-bp156.4.3.1.s390x"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.12-bp156.4.3.1.s390x",
"product": {
"name": "etcdutl-3.5.12-bp156.4.3.1.s390x",
"product_id": "etcdutl-3.5.12-bp156.4.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.12-bp156.4.3.1.x86_64",
"product": {
"name": "etcd-3.5.12-bp156.4.3.1.x86_64",
"product_id": "etcd-3.5.12-bp156.4.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.12-bp156.4.3.1.x86_64",
"product": {
"name": "etcdctl-3.5.12-bp156.4.3.1.x86_64",
"product_id": "etcdctl-3.5.12-bp156.4.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.12-bp156.4.3.1.x86_64",
"product": {
"name": "etcdutl-3.5.12-bp156.4.3.1.x86_64",
"product_id": "etcdutl-3.5.12-bp156.4.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP6",
"product": {
"name": "SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-bp156.4.3.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64"
},
"product_reference": "etcd-3.5.12-bp156.4.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-bp156.4.3.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le"
},
"product_reference": "etcd-3.5.12-bp156.4.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-bp156.4.3.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x"
},
"product_reference": "etcd-3.5.12-bp156.4.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-bp156.4.3.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64"
},
"product_reference": "etcd-3.5.12-bp156.4.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-bp156.4.3.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64"
},
"product_reference": "etcdctl-3.5.12-bp156.4.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-bp156.4.3.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le"
},
"product_reference": "etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-bp156.4.3.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x"
},
"product_reference": "etcdctl-3.5.12-bp156.4.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-bp156.4.3.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64"
},
"product_reference": "etcdctl-3.5.12-bp156.4.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.12-bp156.4.3.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64"
},
"product_reference": "etcdutl-3.5.12-bp156.4.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.12-bp156.4.3.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le"
},
"product_reference": "etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.12-bp156.4.3.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x"
},
"product_reference": "etcdutl-3.5.12-bp156.4.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.12-bp156.4.3.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
},
"product_reference": "etcdutl-3.5.12-bp156.4.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-bp156.4.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64"
},
"product_reference": "etcd-3.5.12-bp156.4.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-bp156.4.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le"
},
"product_reference": "etcd-3.5.12-bp156.4.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-bp156.4.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x"
},
"product_reference": "etcd-3.5.12-bp156.4.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-bp156.4.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64"
},
"product_reference": "etcd-3.5.12-bp156.4.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-bp156.4.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64"
},
"product_reference": "etcdctl-3.5.12-bp156.4.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-bp156.4.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le"
},
"product_reference": "etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-bp156.4.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x"
},
"product_reference": "etcdctl-3.5.12-bp156.4.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-bp156.4.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64"
},
"product_reference": "etcdctl-3.5.12-bp156.4.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.12-bp156.4.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64"
},
"product_reference": "etcdutl-3.5.12-bp156.4.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.12-bp156.4.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le"
},
"product_reference": "etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.12-bp156.4.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x"
},
"product_reference": "etcdutl-3.5.12-bp156.4.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdutl-3.5.12-bp156.4.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
},
"product_reference": "etcdutl-3.5.12-bp156.4.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-11254",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-11254"
}
],
"notes": [
{
"category": "general",
"text": "The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-11254",
"url": "https://www.suse.com/security/cve/CVE-2019-11254"
},
{
"category": "external",
"summary": "SUSE Bug 1168270 for CVE-2019-11254",
"url": "https://bugzilla.suse.com/1168270"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-07T15:04:12Z",
"details": "moderate"
}
],
"title": "CVE-2019-11254"
},
{
"cve": "CVE-2020-15106",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15106"
}
],
"notes": [
{
"category": "general",
"text": "In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15106",
"url": "https://www.suse.com/security/cve/CVE-2020-15106"
},
{
"category": "external",
"summary": "SUSE Bug 1174951 for CVE-2020-15106",
"url": "https://bugzilla.suse.com/1174951"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-07T15:04:12Z",
"details": "moderate"
}
],
"title": "CVE-2020-15106"
},
{
"cve": "CVE-2021-28235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28235"
}
],
"notes": [
{
"category": "general",
"text": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28235",
"url": "https://www.suse.com/security/cve/CVE-2021-28235"
},
{
"category": "external",
"summary": "SUSE Bug 1210138 for CVE-2021-28235",
"url": "https://bugzilla.suse.com/1210138"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-07T15:04:12Z",
"details": "important"
}
],
"title": "CVE-2021-28235"
},
{
"cve": "CVE-2023-47108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-47108"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-47108",
"url": "https://www.suse.com/security/cve/CVE-2023-47108"
},
{
"category": "external",
"summary": "SUSE Bug 1217070 for CVE-2023-47108",
"url": "https://bugzilla.suse.com/1217070"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-07T15:04:12Z",
"details": "important"
}
],
"title": "CVE-2023-47108"
},
{
"cve": "CVE-2023-48795",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-48795"
}
],
"notes": [
{
"category": "general",
"text": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH\u0027s use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-48795",
"url": "https://www.suse.com/security/cve/CVE-2023-48795"
},
{
"category": "external",
"summary": "SUSE Bug 1217950 for CVE-2023-48795",
"url": "https://bugzilla.suse.com/1217950"
},
{
"category": "external",
"summary": "SUSE Bug 1218708 for CVE-2023-48795",
"url": "https://bugzilla.suse.com/1218708"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcd-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"SUSE Package Hub 15 SP6:etcdutl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-bp156.4.3.1.x86_64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.aarch64",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.ppc64le",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.s390x",
"openSUSE Leap 15.6:etcdutl-3.5.12-bp156.4.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-07T15:04:12Z",
"details": "important"
}
],
"title": "CVE-2023-48795"
}
]
}
opensuse-su-2024:13369-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
etcd-for-k8s1.25-3.5.9-1.1 on GA media
Notes
Title of the patch
etcd-for-k8s1.25-3.5.9-1.1 on GA media
Description of the patch
These are all security issues fixed in the etcd-for-k8s1.25-3.5.9-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13369
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "etcd-for-k8s1.25-3.5.9-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the etcd-for-k8s1.25-3.5.9-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13369",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13369-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28235 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28235/"
}
],
"title": "etcd-for-k8s1.25-3.5.9-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13369-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.25-3.5.9-1.1.aarch64",
"product": {
"name": "etcd-for-k8s1.25-3.5.9-1.1.aarch64",
"product_id": "etcd-for-k8s1.25-3.5.9-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.25-3.5.9-1.1.ppc64le",
"product": {
"name": "etcd-for-k8s1.25-3.5.9-1.1.ppc64le",
"product_id": "etcd-for-k8s1.25-3.5.9-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.25-3.5.9-1.1.s390x",
"product": {
"name": "etcd-for-k8s1.25-3.5.9-1.1.s390x",
"product_id": "etcd-for-k8s1.25-3.5.9-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.25-3.5.9-1.1.x86_64",
"product": {
"name": "etcd-for-k8s1.25-3.5.9-1.1.x86_64",
"product_id": "etcd-for-k8s1.25-3.5.9-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.25-3.5.9-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.aarch64"
},
"product_reference": "etcd-for-k8s1.25-3.5.9-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.25-3.5.9-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.ppc64le"
},
"product_reference": "etcd-for-k8s1.25-3.5.9-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.25-3.5.9-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.s390x"
},
"product_reference": "etcd-for-k8s1.25-3.5.9-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.25-3.5.9-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.x86_64"
},
"product_reference": "etcd-for-k8s1.25-3.5.9-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-28235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28235"
}
],
"notes": [
{
"category": "general",
"text": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.aarch64",
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.s390x",
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28235",
"url": "https://www.suse.com/security/cve/CVE-2021-28235"
},
{
"category": "external",
"summary": "SUSE Bug 1210138 for CVE-2021-28235",
"url": "https://bugzilla.suse.com/1210138"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.aarch64",
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.s390x",
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.aarch64",
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.s390x",
"openSUSE Tumbleweed:etcd-for-k8s1.25-3.5.9-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-28235"
}
]
}
opensuse-su-2024:13371-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
etcd-for-k8s1.27-3.5.9-1.1 on GA media
Notes
Title of the patch
etcd-for-k8s1.27-3.5.9-1.1 on GA media
Description of the patch
These are all security issues fixed in the etcd-for-k8s1.27-3.5.9-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13371
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "etcd-for-k8s1.27-3.5.9-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the etcd-for-k8s1.27-3.5.9-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13371",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13371-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28235 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28235/"
}
],
"title": "etcd-for-k8s1.27-3.5.9-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13371-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.27-3.5.9-1.1.aarch64",
"product": {
"name": "etcd-for-k8s1.27-3.5.9-1.1.aarch64",
"product_id": "etcd-for-k8s1.27-3.5.9-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.27-3.5.9-1.1.ppc64le",
"product": {
"name": "etcd-for-k8s1.27-3.5.9-1.1.ppc64le",
"product_id": "etcd-for-k8s1.27-3.5.9-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.27-3.5.9-1.1.s390x",
"product": {
"name": "etcd-for-k8s1.27-3.5.9-1.1.s390x",
"product_id": "etcd-for-k8s1.27-3.5.9-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-for-k8s1.27-3.5.9-1.1.x86_64",
"product": {
"name": "etcd-for-k8s1.27-3.5.9-1.1.x86_64",
"product_id": "etcd-for-k8s1.27-3.5.9-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.27-3.5.9-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.aarch64"
},
"product_reference": "etcd-for-k8s1.27-3.5.9-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.27-3.5.9-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.ppc64le"
},
"product_reference": "etcd-for-k8s1.27-3.5.9-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.27-3.5.9-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.s390x"
},
"product_reference": "etcd-for-k8s1.27-3.5.9-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-for-k8s1.27-3.5.9-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.x86_64"
},
"product_reference": "etcd-for-k8s1.27-3.5.9-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-28235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28235"
}
],
"notes": [
{
"category": "general",
"text": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.aarch64",
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.s390x",
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28235",
"url": "https://www.suse.com/security/cve/CVE-2021-28235"
},
{
"category": "external",
"summary": "SUSE Bug 1210138 for CVE-2021-28235",
"url": "https://bugzilla.suse.com/1210138"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.aarch64",
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.s390x",
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.aarch64",
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.ppc64le",
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.s390x",
"openSUSE Tumbleweed:etcd-for-k8s1.27-3.5.9-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-28235"
}
]
}
gsd-2021-28235
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-28235",
"id": "GSD-2021-28235"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-28235"
],
"details": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.",
"id": "GSD-2021-28235",
"modified": "2023-12-13T01:23:29.181582Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28235",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://etcd.com",
"refsource": "MISC",
"url": "http://etcd.com"
},
{
"name": "https://github.com/etcd-io/etcd",
"refsource": "MISC",
"url": "https://github.com/etcd-io/etcd"
},
{
"name": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png",
"refsource": "MISC",
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png"
},
{
"name": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png",
"refsource": "MISC",
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png"
},
{
"name": "https://github.com/etcd-io/etcd/pull/15648",
"refsource": "MISC",
"url": "https://github.com/etcd-io/etcd/pull/15648"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "=3.4.10",
"affected_versions": "Version 3.4.10",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-937"
],
"date": "2023-04-11",
"description": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.",
"fixed_versions": [],
"identifier": "CVE-2021-28235",
"identifiers": [
"GHSA-gmph-wf7j-9gcm",
"CVE-2021-28235"
],
"not_impacted": "",
"package_slug": "go/go.etcd.io/etcd/v3",
"pubdate": "2023-04-04",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Improper Authentication",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-28235",
"https://github.com/etcd-io/etcd",
"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png",
"https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png",
"http://etcd.com",
"https://github.com/etcd-io/etcd/pull/15648",
"https://github.com/advisories/GHSA-gmph-wf7j-9gcm"
],
"uuid": "1a7cc401-5aff-4984-9e07-351409e53ee1"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:etcd:etcd:3.4.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28235"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png",
"refsource": "MISC",
"tags": [
"Product"
],
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png"
},
{
"name": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png",
"refsource": "MISC",
"tags": [
"Product"
],
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png"
},
{
"name": "http://etcd.com",
"refsource": "MISC",
"tags": [
"Broken Link"
],
"url": "http://etcd.com"
},
{
"name": "https://github.com/etcd-io/etcd",
"refsource": "MISC",
"tags": [
"Product"
],
"url": "https://github.com/etcd-io/etcd"
},
{
"name": "https://github.com/etcd-io/etcd/pull/15648",
"refsource": "MISC",
"tags": [],
"url": "https://github.com/etcd-io/etcd/pull/15648"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-04-11T01:15Z",
"publishedDate": "2023-04-04T15:15Z"
}
}
}
rhsa-2023:3447
Vulnerability from csaf_redhat
Published
2023-06-05 18:54
Modified
2025-08-13 09:34
Summary
Red Hat Security Advisory: Red Hat OpenStack Platform 16.1 (etcd) security update
Notes
Topic
An update for etcd is now available for Red Hat OpenStack Platform 16.1
(Train).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details
A highly-available key value store for shared configuration
Security Fix(es):
* Information discosure via debug function (CVE-2021-28235)
* golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
(CVE-2022-41723)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for etcd is now available for Red Hat OpenStack Platform 16.1\n(Train).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "A highly-available key value store for shared configuration\n\nSecurity Fix(es):\n\n* Information discosure via debug function (CVE-2021-28235)\n\n* golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding\n(CVE-2022-41723)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3447",
"url": "https://access.redhat.com/errata/RHSA-2023:3447"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2178358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
},
{
"category": "external",
"summary": "2184441",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184441"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3447.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenStack Platform 16.1 (etcd) security update",
"tracking": {
"current_release_date": "2025-08-13T09:34:20+00:00",
"generator": {
"date": "2025-08-13T09:34:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2023:3447",
"initial_release_date": "2023-06-05T18:54:02+00:00",
"revision_history": [
{
"date": "2023-06-05T18:54:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-06-05T18:54:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-13T09:34:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 16.1",
"product": {
"name": "Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:16.1::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-14.el8ost.src",
"product": {
"name": "etcd-0:3.3.23-14.el8ost.src",
"product_id": "etcd-0:3.3.23-14.el8ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-14.el8ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-14.el8ost.x86_64",
"product": {
"name": "etcd-0:3.3.23-14.el8ost.x86_64",
"product_id": "etcd-0:3.3.23-14.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-14.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64",
"product": {
"name": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64",
"product_id": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-14.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"product": {
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"product_id": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-14.el8ost?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-14.el8ost.ppc64le",
"product": {
"name": "etcd-0:3.3.23-14.el8ost.ppc64le",
"product_id": "etcd-0:3.3.23-14.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-14.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"product": {
"name": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"product_id": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-14.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"product": {
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"product_id": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-14.el8ost?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-14.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.ppc64le"
},
"product_reference": "etcd-0:3.3.23-14.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-14.el8ost.src as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.src"
},
"product_reference": "etcd-0:3.3.23-14.el8ost.src",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-14.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.x86_64"
},
"product_reference": "etcd-0:3.3.23-14.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le"
},
"product_reference": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64"
},
"product_reference": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le"
},
"product_reference": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.1",
"product_id": "8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
},
"product_reference": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-28235",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184441"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "etcd: Information discosure via debug function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28235"
},
{
"category": "external",
"summary": "RHBZ#2184441",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184441"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28235",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28235"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28235",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28235"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:54:02+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3447"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "etcd: Information discosure via debug function"
},
{
"acknowledgments": [
{
"names": [
"Philippe Antoine"
],
"organization": "Catena Cyber"
}
],
"cve": "CVE-2022-41723",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-03-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2178358"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within OpenShift Container Platform, the maximum impact of this vulnerability is a denial of service against an individual container so the impact could not cascade across the entire infrastructure, this vulnerability is rated Moderate impact.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "RHBZ#2178358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h",
"url": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h"
},
{
"category": "external",
"summary": "https://go.dev/cl/468135",
"url": "https://go.dev/cl/468135"
},
{
"category": "external",
"summary": "https://go.dev/cl/468295",
"url": "https://go.dev/cl/468295"
},
{
"category": "external",
"summary": "https://go.dev/issue/57855",
"url": "https://go.dev/issue/57855"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-1571",
"url": "https://pkg.go.dev/vuln/GO-2023-1571"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-1571.json",
"url": "https://vuln.go.dev/ID/GO-2023-1571.json"
}
],
"release_date": "2023-02-17T14:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:54:02+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3447"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.1:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.1:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding"
}
]
}
rhsa-2023:3445
Vulnerability from csaf_redhat
Published
2023-06-05 18:55
Modified
2025-08-13 16:57
Summary
Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (etcd) security update
Notes
Topic
An update for etcd is now available for Red Hat OpenStack Platform 16.2
(Train).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details
A highly-available key value store for shared configuration
Security Fix(es):
* Information discosure via debug function (CVE-2021-28235)
* html/template: improper handling of JavaScript whitespace
(CVE-2023-24540)
* golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
(CVE-2022-41723)
* crypto/tls: large handshake records may cause panics (CVE-2022-41724)
* net/http mime/multipart: denial of service from excessive resource
consumption (CVE-2022-41725)
* net/http net/textproto: denial of service from excessive memory
allocation (CVE-2023-24534)
* net/http net/textproto mime/multipart: denial of service from excessive
resource consumption (CVE-2023-24536)
* go/parser: Infinite loop in parsing (CVE-2023-24537)
* html/template: backticks not treated as string delimiters
(CVE-2023-24538)
* html/template: improper sanitization of CSS values (CVE-2023-24539)
* html/template: improper handling of empty HTML attributes
(CVE-2023-29400)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for etcd is now available for Red Hat OpenStack Platform 16.2\n(Train).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "A highly-available key value store for shared configuration\n\nSecurity Fix(es):\n\n* Information discosure via debug function (CVE-2021-28235)\n\n* html/template: improper handling of JavaScript whitespace\n(CVE-2023-24540)\n\n* golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding\n(CVE-2022-41723)\n\n* crypto/tls: large handshake records may cause panics (CVE-2022-41724)\n\n* net/http mime/multipart: denial of service from excessive resource\nconsumption (CVE-2022-41725)\n\n* net/http net/textproto: denial of service from excessive memory\nallocation (CVE-2023-24534)\n\n* net/http net/textproto mime/multipart: denial of service from excessive\nresource consumption (CVE-2023-24536)\n\n* go/parser: Infinite loop in parsing (CVE-2023-24537)\n\n* html/template: backticks not treated as string delimiters\n(CVE-2023-24538)\n\n* html/template: improper sanitization of CSS values (CVE-2023-24539)\n\n* html/template: improper handling of empty HTML attributes\n(CVE-2023-29400)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3445",
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2178358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
},
{
"category": "external",
"summary": "2178488",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178488"
},
{
"category": "external",
"summary": "2178492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178492"
},
{
"category": "external",
"summary": "2184441",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184441"
},
{
"category": "external",
"summary": "2184481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184481"
},
{
"category": "external",
"summary": "2184482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184482"
},
{
"category": "external",
"summary": "2184483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483"
},
{
"category": "external",
"summary": "2184484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184484"
},
{
"category": "external",
"summary": "2196026",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196026"
},
{
"category": "external",
"summary": "2196027",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196027"
},
{
"category": "external",
"summary": "2196029",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196029"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3445.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenStack Platform 16.2 (etcd) security update",
"tracking": {
"current_release_date": "2025-08-13T16:57:47+00:00",
"generator": {
"date": "2025-08-13T16:57:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2023:3445",
"initial_release_date": "2023-06-05T18:55:04+00:00",
"revision_history": [
{
"date": "2023-06-05T18:55:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-06-05T18:55:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-13T16:57:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 16.2",
"product": {
"name": "Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:16.2::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-14.el8ost.src",
"product": {
"name": "etcd-0:3.3.23-14.el8ost.src",
"product_id": "etcd-0:3.3.23-14.el8ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-14.el8ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-14.el8ost.x86_64",
"product": {
"name": "etcd-0:3.3.23-14.el8ost.x86_64",
"product_id": "etcd-0:3.3.23-14.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-14.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64",
"product": {
"name": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64",
"product_id": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-14.el8ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"product": {
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"product_id": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-14.el8ost?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.3.23-14.el8ost.ppc64le",
"product": {
"name": "etcd-0:3.3.23-14.el8ost.ppc64le",
"product_id": "etcd-0:3.3.23-14.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.3.23-14.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"product": {
"name": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"product_id": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.3.23-14.el8ost?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"product": {
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"product_id": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.3.23-14.el8ost?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-14.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le"
},
"product_reference": "etcd-0:3.3.23-14.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-14.el8ost.src as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src"
},
"product_reference": "etcd-0:3.3.23-14.el8ost.src",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.3.23-14.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64"
},
"product_reference": "etcd-0:3.3.23-14.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le"
},
"product_reference": "etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64"
},
"product_reference": "etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le"
},
"product_reference": "etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"relates_to_product_reference": "8Base-RHOS-16.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64 as a component of Red Hat OpenStack Platform 16.2",
"product_id": "8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
},
"product_reference": "etcd-debugsource-0:3.3.23-14.el8ost.x86_64",
"relates_to_product_reference": "8Base-RHOS-16.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-28235",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184441"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "etcd: Information discosure via debug function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28235"
},
{
"category": "external",
"summary": "RHBZ#2184441",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184441"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28235",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28235"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28235",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28235"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "etcd: Information discosure via debug function"
},
{
"acknowledgments": [
{
"names": [
"Philippe Antoine"
],
"organization": "Catena Cyber"
}
],
"cve": "CVE-2022-41723",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-03-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2178358"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within OpenShift Container Platform, the maximum impact of this vulnerability is a denial of service against an individual container so the impact could not cascade across the entire infrastructure, this vulnerability is rated Moderate impact.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "RHBZ#2178358",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h",
"url": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h"
},
{
"category": "external",
"summary": "https://go.dev/cl/468135",
"url": "https://go.dev/cl/468135"
},
{
"category": "external",
"summary": "https://go.dev/cl/468295",
"url": "https://go.dev/cl/468295"
},
{
"category": "external",
"summary": "https://go.dev/issue/57855",
"url": "https://go.dev/issue/57855"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-1571",
"url": "https://pkg.go.dev/vuln/GO-2023-1571"
},
{
"category": "external",
"summary": "https://vuln.go.dev/ID/GO-2023-1571.json",
"url": "https://vuln.go.dev/ID/GO-2023-1571.json"
}
],
"release_date": "2023-02-17T14:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding"
},
{
"cve": "CVE-2022-41724",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-03-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2178492"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: crypto/tls: large handshake records may cause panics",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a denial of service is limited to the golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41724"
},
{
"category": "external",
"summary": "RHBZ#2178492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178492"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41724",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41724"
},
{
"category": "external",
"summary": "https://go.dev/cl/468125",
"url": "https://go.dev/cl/468125"
},
{
"category": "external",
"summary": "https://go.dev/issue/58001",
"url": "https://go.dev/issue/58001"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-1570",
"url": "https://pkg.go.dev/vuln/GO-2023-1570"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: crypto/tls: large handshake records may cause panics"
},
{
"cve": "CVE-2022-41725",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-03-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2178488"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, mime/multipart: denial of service from excessive resource consumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41725"
},
{
"category": "external",
"summary": "RHBZ#2178488",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178488"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41725",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41725"
},
{
"category": "external",
"summary": "https://go.dev/cl/468124",
"url": "https://go.dev/cl/468124"
},
{
"category": "external",
"summary": "https://go.dev/issue/58006",
"url": "https://go.dev/issue/58006"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
"url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-1569",
"url": "https://pkg.go.dev/vuln/GO-2023-1569"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http, mime/multipart: denial of service from excessive resource consumption"
},
{
"cve": "CVE-2023-24534",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184483"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, net/textproto: denial of service from excessive memory allocation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24534"
},
{
"category": "external",
"summary": "RHBZ#2184483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24534",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24534"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534"
},
{
"category": "external",
"summary": "https://go.dev/issue/58975",
"url": "https://go.dev/issue/58975"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http, net/textproto: denial of service from excessive memory allocation"
},
{
"cve": "CVE-2023-24536",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184482"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an issue during multipart form parsing. By sending a specially crafted input, a remote attacker can consume large amounts of CPU and memory, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux,\n\n* Conmon uses Go in unit testing, but not functionally in the package. Go is used only in test files, hence, not in the actual code, thus, conmon is not-affected.\n* The CVE refers to multipart form parsing routine mime/multipart.Reader.ReadForm, which is not used in Grafana, hence it is not-affected.\n* Butane does not parse multipart forms, hence, it is also not-affected.\nRedhat has marked this vulnerability as moderate as this vulnerability could lead to a potential denial of service when all the resource of a system is consumed which is technically not a clear case of denial of service.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nRed Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24536"
},
{
"category": "external",
"summary": "RHBZ#2184482",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184482"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24536"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24536",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24536"
},
{
"category": "external",
"summary": "https://go.dev/issue/59153",
"url": "https://go.dev/issue/59153"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption"
},
{
"cve": "CVE-2023-24537",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184484"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by an infinite loop due to integer overflow when calling any of the Parse functions. By sending a specially crafted input, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: go/parser: Infinite loop in parsing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24537"
},
{
"category": "external",
"summary": "RHBZ#2184484",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184484"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24537",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24537"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24537"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/59180",
"url": "https://github.com/golang/go/issues/59180"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: go/parser: Infinite loop in parsing"
},
{
"cve": "CVE-2023-24538",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184481"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: backticks not treated as string delimiters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The described issue involving Go templates and JavaScript template literals poses a moderate severity rather than an important one due to several mitigating factors. Firstly, the vulnerability requires specific conditions to be met: the presence of Go templates within JavaScript template literals. This limits the scope of affected codebases, reducing the likelihood of exploitation. Additionally, the decision to disallow such interactions in future releases of Go indicates a proactive approach to addressing the issue. Furthermore, the affected packages or components within Red Hat Enterprise Linux, such as Conmon, Grafana, and the RHC package, have been assessed and determined not to be impacted due to their specific usage patterns. So the limited scope of affected systems and the absence of exploitation vectors in specific components within Red Hat Enterprise Linux contribute to categorizing the severity of the issue as moderate.\n\nFor Red Hat Enterprise Linux,\n\n* Conmon uses go in unit testing, but not functionally in the package. Go is used only in test files, hence, not in the actual code, thus, conmon is not affected.\n* The Go templates in Grafana do not contain any javascript. Thus, it is not affected.\n* The rhc package do not make use of html/template. Hence, it is also not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24538"
},
{
"category": "external",
"summary": "RHBZ#2184481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184481"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24538",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24538"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/59234",
"url": "https://github.com/golang/go/issues/59234"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: backticks not treated as string delimiters"
},
{
"acknowledgments": [
{
"names": [
"Juho Nurminen"
],
"organization": "Mattermost"
}
],
"cve": "CVE-2023-24539",
"cwe": {
"id": "CWE-176",
"name": "Improper Handling of Unicode Encoding"
},
"discovery_date": "2023-05-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2196026"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang where angle brackets (\u003c\u003e) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a \u0027/\u0027 character could result in the CSS context unexpectedly closing, allowing for the injection of unexpected HMTL if executed with untrusted input.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: improper sanitization of CSS values",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux,\n\n* Conmon uses go in unit testing, but not functionally in the package. Go is used only in test files, not in the actual code. Thus, conmon is not affected.\n* The Go templates in Grafana do not contain any javascript. Thus, it is not affected.\n* Ignition does not make use of html/template.\n\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM), the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable golang html/templates to authenticated users only, therefore, the impact is low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24539"
},
{
"category": "external",
"summary": "RHBZ#2196026",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196026"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24539"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24539",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24539"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/59720",
"url": "https://github.com/golang/go/issues/59720"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU",
"url": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU"
}
],
"release_date": "2023-04-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: improper sanitization of CSS values"
},
{
"acknowledgments": [
{
"names": [
"Juho Nurminen"
],
"organization": "Mattermost"
}
],
"cve": "CVE-2023-24540",
"cwe": {
"id": "CWE-176",
"name": "Improper Handling of Unicode Encoding"
},
"discovery_date": "2023-05-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2196027"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: improper handling of JavaScript whitespace",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux,\n* Conmon uses go in unit testing, but not functionally in the package. Go is used only in test files, hence, not in the actual code, thus, conmon is not affected.\n* The Go templates in Grafana do not contain any javascript. Thus, it is not affected.\n* Ignition does not make use of html/template.\n\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable golang html/templates to authenticated users only, therefore the impact is low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24540"
},
{
"category": "external",
"summary": "RHBZ#2196027",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196027"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24540",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24540"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24540",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24540"
},
{
"category": "external",
"summary": "https://go.dev/issue/59721",
"url": "https://go.dev/issue/59721"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU",
"url": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU"
}
],
"release_date": "2023-04-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: html/template: improper handling of JavaScript whitespace"
},
{
"acknowledgments": [
{
"names": [
"Juho Nurminen"
],
"organization": "Mattermost"
}
],
"cve": "CVE-2023-29400",
"cwe": {
"id": "CWE-176",
"name": "Improper Handling of Unicode Encoding"
},
"discovery_date": "2023-05-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2196029"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in golang. Templates containing actions in unquoted HTML attributes, for example, \"attr={{.}}\") executed with empty input, could result in output that has unexpected results when parsed due to HTML normalization rules. This issue may allow the injection of arbitrary attributes into tags.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: improper handling of empty HTML attributes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux,\n\n* Conmon uses go in unit testing, but not functionally in the package. Go is used only in test files, not in the actual code. Thus, conmon is not affected.\n* The Go templates in Grafana do not contain any javascript. Thus, it is not affected.\n* Ignition does not make use of html/template.\n\nIn OpenShift Container Platform and Red Hat Advanced Cluster Management for Kubernetes (RHACM), the affected containers are behind OAuth authentication. This restricts access to the vulnerable golang html/templates to authenticated users, reducing the impact to low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-29400"
},
{
"category": "external",
"summary": "RHBZ#2196029",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196029"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-29400",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29400"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-29400",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29400"
},
{
"category": "external",
"summary": "https://go.dev/issue/59722",
"url": "https://go.dev/issue/59722"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU",
"url": "https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU"
}
],
"release_date": "2023-04-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T18:55:04+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.src",
"8Base-RHOS-16.2:etcd-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debuginfo-0:3.3.23-14.el8ost.x86_64",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.ppc64le",
"8Base-RHOS-16.2:etcd-debugsource-0:3.3.23-14.el8ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: improper handling of empty HTML attributes"
}
]
}
rhsa-2023:3441
Vulnerability from csaf_redhat
Published
2023-06-05 19:02
Modified
2025-08-05 14:39
Summary
Red Hat Security Advisory: Red Hat OpenStack Platform 17.0 (etcd) security update
Notes
Topic
An update for etcd is now available for Red Hat OpenStack Platform 17.0
(Wallaby).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details
A highly-available key value store for shared configuration
Security Fix(es):
* Information discosure via debug function (CVE-2021-28235)
* Key name can be accessed via LeaseTimeToLive API (CVE-2023-32082)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for etcd is now available for Red Hat OpenStack Platform 17.0\n(Wallaby).\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "A highly-available key value store for shared configuration\n\nSecurity Fix(es):\n\n* Information discosure via debug function (CVE-2021-28235)\n\n* Key name can be accessed via LeaseTimeToLive API (CVE-2023-32082)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3441",
"url": "https://access.redhat.com/errata/RHSA-2023:3441"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2184441",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184441"
},
{
"category": "external",
"summary": "2208131",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2208131"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3441.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenStack Platform 17.0 (etcd) security update",
"tracking": {
"current_release_date": "2025-08-05T14:39:28+00:00",
"generator": {
"date": "2025-08-05T14:39:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2023:3441",
"initial_release_date": "2023-06-05T19:02:22+00:00",
"revision_history": [
{
"date": "2023-06-05T19:02:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-06-05T19:02:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-05T14:39:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 17.0",
"product": {
"name": "Red Hat OpenStack Platform 17.0",
"product_id": "9Base-RHOS-17.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:17.0::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.4.26-1.el9ost.src",
"product": {
"name": "etcd-0:3.4.26-1.el9ost.src",
"product_id": "etcd-0:3.4.26-1.el9ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.4.26-1.el9ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-0:3.4.26-1.el9ost.x86_64",
"product": {
"name": "etcd-0:3.4.26-1.el9ost.x86_64",
"product_id": "etcd-0:3.4.26-1.el9ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd@3.4.26-1.el9ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debugsource-0:3.4.26-1.el9ost.x86_64",
"product": {
"name": "etcd-debugsource-0:3.4.26-1.el9ost.x86_64",
"product_id": "etcd-debugsource-0:3.4.26-1.el9ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debugsource@3.4.26-1.el9ost?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"product": {
"name": "etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"product_id": "etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/etcd-debuginfo@3.4.26-1.el9ost?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.4.26-1.el9ost.src as a component of Red Hat OpenStack Platform 17.0",
"product_id": "9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.src"
},
"product_reference": "etcd-0:3.4.26-1.el9ost.src",
"relates_to_product_reference": "9Base-RHOS-17.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-0:3.4.26-1.el9ost.x86_64 as a component of Red Hat OpenStack Platform 17.0",
"product_id": "9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.x86_64"
},
"product_reference": "etcd-0:3.4.26-1.el9ost.x86_64",
"relates_to_product_reference": "9Base-RHOS-17.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debuginfo-0:3.4.26-1.el9ost.x86_64 as a component of Red Hat OpenStack Platform 17.0",
"product_id": "9Base-RHOS-17.0:etcd-debuginfo-0:3.4.26-1.el9ost.x86_64"
},
"product_reference": "etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"relates_to_product_reference": "9Base-RHOS-17.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-debugsource-0:3.4.26-1.el9ost.x86_64 as a component of Red Hat OpenStack Platform 17.0",
"product_id": "9Base-RHOS-17.0:etcd-debugsource-0:3.4.26-1.el9ost.x86_64"
},
"product_reference": "etcd-debugsource-0:3.4.26-1.el9ost.x86_64",
"relates_to_product_reference": "9Base-RHOS-17.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-28235",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184441"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "etcd: Information discosure via debug function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.src",
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debugsource-0:3.4.26-1.el9ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-28235"
},
{
"category": "external",
"summary": "RHBZ#2184441",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184441"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-28235",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28235"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28235",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28235"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T19:02:22+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.src",
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debugsource-0:3.4.26-1.el9ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.src",
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debugsource-0:3.4.26-1.el9ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "etcd: Information discosure via debug function"
},
{
"cve": "CVE-2023-32082",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-05-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2208131"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in etcd. Affected versions of etcd allow a remote, authenticated attacker to use the LeaseTimeToLive API to obtain sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "etcd: Key name can be accessed via LeaseTimeToLive API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.src",
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debugsource-0:3.4.26-1.el9ost.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-32082"
},
{
"category": "external",
"summary": "RHBZ#2208131",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2208131"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-32082",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32082"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-32082",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32082"
}
],
"release_date": "2023-05-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-05T19:02:22+00:00",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.src",
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debugsource-0:3.4.26-1.el9ost.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3441"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.src",
"9Base-RHOS-17.0:etcd-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debuginfo-0:3.4.26-1.el9ost.x86_64",
"9Base-RHOS-17.0:etcd-debugsource-0:3.4.26-1.el9ost.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "etcd: Key name can be accessed via LeaseTimeToLive API"
}
]
}
fkie_cve-2021-28235
Vulnerability from fkie_nvd
Published
2023-04-04 15:15
Modified
2025-02-18 17:15
Severity ?
Summary
Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://etcd.com | Broken Link | |
| cve@mitre.org | https://github.com/etcd-io/etcd | Product | |
| cve@mitre.org | https://github.com/etcd-io/etcd/pull/15648 | ||
| cve@mitre.org | https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png | Product | |
| cve@mitre.org | https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | http://etcd.com | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/etcd-io/etcd | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/etcd-io/etcd/pull/15648 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:etcd:etcd:3.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "423FB650-0346-4036-B0CE-D07170756FA4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function."
}
],
"id": "CVE-2021-28235",
"lastModified": "2025-02-18T17:15:11.817",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-04T15:15:08.507",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://etcd.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/etcd-io/etcd"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/etcd-io/etcd/pull/15648"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://etcd.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/etcd-io/etcd"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/etcd-io/etcd/pull/15648"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj.png"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/lucyxss/etcd-3.4.10-test/blob/master/temp4cj_2.png"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
suse-su-2024:3656-1
Vulnerability from csaf_suse
Published
2024-10-16 11:33
Modified
2024-10-16 11:33
Summary
Security update for etcd
Notes
Title of the patch
Security update for etcd
Description of the patch
This update for etcd fixes the following issues:
Update to version 3.5.12:
Security fixes:
- CVE-2018-16873: Fixed remote command execution in cmd/go (bsc#1118897)
- CVE-2018-16874: Fixed directory traversal in cmd/go (bsc#1118898)
- CVE-2018-16875: Fixed CPU denial of service in crypto/x509 (bsc#1118899)
- CVE-2018-16886: Fixed improper authentication issue when RBAC and client-cert-auth is enabled (bsc#1121850)
- CVE-2020-15106: Fixed panic in decodeRecord method (bsc#1174951)
- CVE-2020-15112: Fixed improper checks in entry index (bsc#1174951)
- CVE-2021-28235: Fixed information discosure via debug function (bsc#1210138)
- CVE-2022-41723: Fixed quadratic complexity in HPACK decoding in net/http (bsc#1208270, bsc#1208297)
- CVE-2023-29406: Fixed insufficient sanitization of Host header in go net/http (bsc#1213229)
- CVE-2023-47108: Fixed DoS vulnerability in otelgrpc (bsc#1217070)
- CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (aka Terrapin Attack) in crypto/ssh (bsc#1217950, bsc#1218150)
Other changes:
- Added hardening to systemd service(s) (bsc#1181400)
- Fixed static /tmp file issue (bsc#1199031)
- Fixed systemd service not starting (bsc#1183703)
Full changelog:
https://github.com/etcd-io/etcd/compare/v3.3.1...v3.5.12
Patchnames
SUSE-2024-3656,openSUSE-SLE-15.5-2024-3656,openSUSE-SLE-15.6-2024-3656
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for etcd",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for etcd fixes the following issues:\n\nUpdate to version 3.5.12:\n\nSecurity fixes:\n\n- CVE-2018-16873: Fixed remote command execution in cmd/go (bsc#1118897)\n- CVE-2018-16874: Fixed directory traversal in cmd/go (bsc#1118898)\n- CVE-2018-16875: Fixed CPU denial of service in crypto/x509 (bsc#1118899)\n- CVE-2018-16886: Fixed improper authentication issue when RBAC and client-cert-auth is enabled (bsc#1121850)\n- CVE-2020-15106: Fixed panic in decodeRecord method (bsc#1174951)\n- CVE-2020-15112: Fixed improper checks in entry index (bsc#1174951)\n- CVE-2021-28235: Fixed information discosure via debug function (bsc#1210138)\n- CVE-2022-41723: Fixed quadratic complexity in HPACK decoding in net/http (bsc#1208270, bsc#1208297)\n- CVE-2023-29406: Fixed insufficient sanitization of Host header in go net/http (bsc#1213229)\n- CVE-2023-47108: Fixed DoS vulnerability in otelgrpc (bsc#1217070)\n- CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (aka Terrapin Attack) in crypto/ssh (bsc#1217950, bsc#1218150)\n\nOther changes:\n\n- Added hardening to systemd service(s) (bsc#1181400)\n- Fixed static /tmp file issue (bsc#1199031)\n- Fixed systemd service not starting (bsc#1183703)\n\nFull changelog:\n\nhttps://github.com/etcd-io/etcd/compare/v3.3.1...v3.5.12\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-3656,openSUSE-SLE-15.5-2024-3656,openSUSE-SLE-15.6-2024-3656",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_3656-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:3656-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20243656-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:3656-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2024-October/037265.html"
},
{
"category": "self",
"summary": "SUSE Bug 1095184",
"url": "https://bugzilla.suse.com/1095184"
},
{
"category": "self",
"summary": "SUSE Bug 1118897",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "self",
"summary": "SUSE Bug 1118898",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "self",
"summary": "SUSE Bug 1118899",
"url": "https://bugzilla.suse.com/1118899"
},
{
"category": "self",
"summary": "SUSE Bug 1121850",
"url": "https://bugzilla.suse.com/1121850"
},
{
"category": "self",
"summary": "SUSE Bug 1174951",
"url": "https://bugzilla.suse.com/1174951"
},
{
"category": "self",
"summary": "SUSE Bug 1181400",
"url": "https://bugzilla.suse.com/1181400"
},
{
"category": "self",
"summary": "SUSE Bug 1183703",
"url": "https://bugzilla.suse.com/1183703"
},
{
"category": "self",
"summary": "SUSE Bug 1199031",
"url": "https://bugzilla.suse.com/1199031"
},
{
"category": "self",
"summary": "SUSE Bug 1208270",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "self",
"summary": "SUSE Bug 1208297",
"url": "https://bugzilla.suse.com/1208297"
},
{
"category": "self",
"summary": "SUSE Bug 1210138",
"url": "https://bugzilla.suse.com/1210138"
},
{
"category": "self",
"summary": "SUSE Bug 1213229",
"url": "https://bugzilla.suse.com/1213229"
},
{
"category": "self",
"summary": "SUSE Bug 1217070",
"url": "https://bugzilla.suse.com/1217070"
},
{
"category": "self",
"summary": "SUSE Bug 1217950",
"url": "https://bugzilla.suse.com/1217950"
},
{
"category": "self",
"summary": "SUSE Bug 1218150",
"url": "https://bugzilla.suse.com/1218150"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16873 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16873/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16874 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16874/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16875 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16875/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-16886 page",
"url": "https://www.suse.com/security/cve/CVE-2018-16886/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15106 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15106/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15112 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15112/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-28235 page",
"url": "https://www.suse.com/security/cve/CVE-2021-28235/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-29406 page",
"url": "https://www.suse.com/security/cve/CVE-2023-29406/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-47108 page",
"url": "https://www.suse.com/security/cve/CVE-2023-47108/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-48795 page",
"url": "https://www.suse.com/security/cve/CVE-2023-48795/"
}
],
"title": "Security update for etcd",
"tracking": {
"current_release_date": "2024-10-16T11:33:42Z",
"generator": {
"date": "2024-10-16T11:33:42Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:3656-1",
"initial_release_date": "2024-10-16T11:33:42Z",
"revision_history": [
{
"date": "2024-10-16T11:33:42Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.12-150000.7.6.1.aarch64",
"product": {
"name": "etcd-3.5.12-150000.7.6.1.aarch64",
"product_id": "etcd-3.5.12-150000.7.6.1.aarch64"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.12-150000.7.6.1.aarch64",
"product": {
"name": "etcdctl-3.5.12-150000.7.6.1.aarch64",
"product_id": "etcdctl-3.5.12-150000.7.6.1.aarch64"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.12-150000.7.6.1.aarch64",
"product": {
"name": "etcdutl-3.5.12-150000.7.6.1.aarch64",
"product_id": "etcdutl-3.5.12-150000.7.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.12-150000.7.6.1.ppc64le",
"product": {
"name": "etcd-3.5.12-150000.7.6.1.ppc64le",
"product_id": "etcd-3.5.12-150000.7.6.1.ppc64le"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.12-150000.7.6.1.ppc64le",
"product": {
"name": "etcdctl-3.5.12-150000.7.6.1.ppc64le",
"product_id": "etcdctl-3.5.12-150000.7.6.1.ppc64le"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.12-150000.7.6.1.ppc64le",
"product": {
"name": "etcdutl-3.5.12-150000.7.6.1.ppc64le",
"product_id": "etcdutl-3.5.12-150000.7.6.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.12-150000.7.6.1.s390x",
"product": {
"name": "etcd-3.5.12-150000.7.6.1.s390x",
"product_id": "etcd-3.5.12-150000.7.6.1.s390x"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.12-150000.7.6.1.s390x",
"product": {
"name": "etcdctl-3.5.12-150000.7.6.1.s390x",
"product_id": "etcdctl-3.5.12-150000.7.6.1.s390x"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.12-150000.7.6.1.s390x",
"product": {
"name": "etcdutl-3.5.12-150000.7.6.1.s390x",
"product_id": "etcdutl-3.5.12-150000.7.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "etcd-3.5.12-150000.7.6.1.x86_64",
"product": {
"name": "etcd-3.5.12-150000.7.6.1.x86_64",
"product_id": "etcd-3.5.12-150000.7.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "etcdctl-3.5.12-150000.7.6.1.x86_64",
"product": {
"name": "etcdctl-3.5.12-150000.7.6.1.x86_64",
"product_id": "etcdctl-3.5.12-150000.7.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "etcdutl-3.5.12-150000.7.6.1.x86_64",
"product": {
"name": "etcdutl-3.5.12-150000.7.6.1.x86_64",
"product_id": "etcdutl-3.5.12-150000.7.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-150000.7.6.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64"
},
"product_reference": "etcd-3.5.12-150000.7.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-150000.7.6.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le"
},
"product_reference": "etcd-3.5.12-150000.7.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-150000.7.6.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x"
},
"product_reference": "etcd-3.5.12-150000.7.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-150000.7.6.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64"
},
"product_reference": "etcd-3.5.12-150000.7.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-150000.7.6.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64"
},
"product_reference": "etcdctl-3.5.12-150000.7.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-150000.7.6.1.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le"
},
"product_reference": "etcdctl-3.5.12-150000.7.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-150000.7.6.1.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x"
},
"product_reference": "etcdctl-3.5.12-150000.7.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-150000.7.6.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64"
},
"product_reference": "etcdctl-3.5.12-150000.7.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-150000.7.6.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64"
},
"product_reference": "etcd-3.5.12-150000.7.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-150000.7.6.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le"
},
"product_reference": "etcd-3.5.12-150000.7.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-150000.7.6.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x"
},
"product_reference": "etcd-3.5.12-150000.7.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcd-3.5.12-150000.7.6.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64"
},
"product_reference": "etcd-3.5.12-150000.7.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-150000.7.6.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64"
},
"product_reference": "etcdctl-3.5.12-150000.7.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-150000.7.6.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le"
},
"product_reference": "etcdctl-3.5.12-150000.7.6.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-150000.7.6.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x"
},
"product_reference": "etcdctl-3.5.12-150000.7.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "etcdctl-3.5.12-150000.7.6.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
},
"product_reference": "etcdctl-3.5.12-150000.7.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-16873",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16873"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it\u0027s possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16873",
"url": "https://www.suse.com/security/cve/CVE-2018-16873"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16873",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "important"
}
],
"title": "CVE-2018-16873"
},
{
"cve": "CVE-2018-16874",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16874"
}
],
"notes": [
{
"category": "general",
"text": "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both \u0027{\u0027 and \u0027}\u0027 characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16874",
"url": "https://www.suse.com/security/cve/CVE-2018-16874"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16874",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "moderate"
}
],
"title": "CVE-2018-16874"
},
{
"cve": "CVE-2018-16875",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16875"
}
],
"notes": [
{
"category": "general",
"text": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16875",
"url": "https://www.suse.com/security/cve/CVE-2018-16875"
},
{
"category": "external",
"summary": "SUSE Bug 1118897 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118897"
},
{
"category": "external",
"summary": "SUSE Bug 1118898 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118898"
},
{
"category": "external",
"summary": "SUSE Bug 1118899 for CVE-2018-16875",
"url": "https://bugzilla.suse.com/1118899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "moderate"
}
],
"title": "CVE-2018-16875"
},
{
"cve": "CVE-2018-16886",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-16886"
}
],
"notes": [
{
"category": "general",
"text": "etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-16886",
"url": "https://www.suse.com/security/cve/CVE-2018-16886"
},
{
"category": "external",
"summary": "SUSE Bug 1121850 for CVE-2018-16886",
"url": "https://bugzilla.suse.com/1121850"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "moderate"
}
],
"title": "CVE-2018-16886"
},
{
"cve": "CVE-2020-15106",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15106"
}
],
"notes": [
{
"category": "general",
"text": "In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15106",
"url": "https://www.suse.com/security/cve/CVE-2020-15106"
},
{
"category": "external",
"summary": "SUSE Bug 1174951 for CVE-2020-15106",
"url": "https://bugzilla.suse.com/1174951"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "moderate"
}
],
"title": "CVE-2020-15106"
},
{
"cve": "CVE-2020-15112",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15112"
}
],
"notes": [
{
"category": "general",
"text": "In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15112",
"url": "https://www.suse.com/security/cve/CVE-2020-15112"
},
{
"category": "external",
"summary": "SUSE Bug 1174951 for CVE-2020-15112",
"url": "https://bugzilla.suse.com/1174951"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "moderate"
}
],
"title": "CVE-2020-15112"
},
{
"cve": "CVE-2021-28235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-28235"
}
],
"notes": [
{
"category": "general",
"text": "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-28235",
"url": "https://www.suse.com/security/cve/CVE-2021-28235"
},
{
"category": "external",
"summary": "SUSE Bug 1210138 for CVE-2021-28235",
"url": "https://bugzilla.suse.com/1210138"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "important"
}
],
"title": "CVE-2021-28235"
},
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
},
{
"cve": "CVE-2023-29406",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-29406"
}
],
"notes": [
{
"category": "general",
"text": "The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-29406",
"url": "https://www.suse.com/security/cve/CVE-2023-29406"
},
{
"category": "external",
"summary": "SUSE Bug 1213229 for CVE-2023-29406",
"url": "https://bugzilla.suse.com/1213229"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "moderate"
}
],
"title": "CVE-2023-29406"
},
{
"cve": "CVE-2023-47108",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-47108"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-47108",
"url": "https://www.suse.com/security/cve/CVE-2023-47108"
},
{
"category": "external",
"summary": "SUSE Bug 1217070 for CVE-2023-47108",
"url": "https://bugzilla.suse.com/1217070"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "important"
}
],
"title": "CVE-2023-47108"
},
{
"cve": "CVE-2023-48795",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-48795"
}
],
"notes": [
{
"category": "general",
"text": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH\u0027s use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-48795",
"url": "https://www.suse.com/security/cve/CVE-2023-48795"
},
{
"category": "external",
"summary": "SUSE Bug 1217950 for CVE-2023-48795",
"url": "https://bugzilla.suse.com/1217950"
},
{
"category": "external",
"summary": "SUSE Bug 1218708 for CVE-2023-48795",
"url": "https://bugzilla.suse.com/1218708"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.5:etcdctl-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcd-3.5.12-150000.7.6.1.x86_64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.aarch64",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.ppc64le",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.s390x",
"openSUSE Leap 15.6:etcdctl-3.5.12-150000.7.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-16T11:33:42Z",
"details": "important"
}
],
"title": "CVE-2023-48795"
}
]
}
wid-sec-w-2023-1373
Vulnerability from csaf_certbund
Published
2023-06-05 22:00
Modified
2023-11-30 23:00
Summary
Red Hat OpenStack Platform : Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat OpenStack ist eine Sammlung von Diensten, um Cloud-Computing in Form von Infrastructure as a Service (IaaS) bereitstellen zu können.
Angriff
Ein Angreifer kann mehrere Schwachstellen in der Red Hat OpenStack Platform ausnutzen, um seine Privilegien zu erhöhen, einen Denial of Service zu verursachen oder Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat OpenStack ist eine Sammlung von Diensten, um Cloud-Computing in Form von Infrastructure as a Service (IaaS) bereitstellen zu k\u00f6nnen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in der Red Hat OpenStack Platform ausnutzen, um seine Privilegien zu erh\u00f6hen, einen Denial of Service zu verursachen oder Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1373 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1373.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1373 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1373"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:7341 vom 2023-11-30",
"url": "https://access.redhat.com/errata/RHSA-2023:7341"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2023-12710 vom 2023-08-06",
"url": "https://linux.oracle.com/errata/ELSA-2023-12710.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2023:2263-2 vom 2023-07-20",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-July/015545.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3536 vom 2023-06-14",
"url": "https://access.redhat.com/errata/RHSA-2023:3536"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3545 vom 2023-06-14",
"url": "https://access.redhat.com/errata/RHSA-2023:3545"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3525 vom 2023-06-07",
"url": "https://access.redhat.com/errata/RHSA-2023:3525"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2023-06-05",
"url": "https://access.redhat.com/errata/RHSA-2023:3446"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2023-06-05",
"url": "https://access.redhat.com/errata/RHSA-2023:3445"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2023-06-05",
"url": "https://access.redhat.com/errata/RHSA-2023:3444"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2023-06-05",
"url": "https://access.redhat.com/errata/RHSA-2023:3441"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2023-06-05",
"url": "https://access.redhat.com/errata/RHSA-2023:3440"
}
],
"source_lang": "en-US",
"title": "Red Hat OpenStack Platform : Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-11-30T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:51:52.836+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-1373",
"initial_release_date": "2023-06-05T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-06-05T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-06-08T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-06-13T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-07-20T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2023-08-06T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2023-11-30T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "6"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform \u003c 4.13.3",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c 4.13.3",
"product_id": "T028106",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform_4.13.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform \u003c 4.12.21",
"product": {
"name": "Red Hat OpenShift Container Platform \u003c 4.12.21",
"product_id": "T028111",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform_4.12.21"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform \u003c 16.2",
"product": {
"name": "Red Hat OpenStack Platform \u003c 16.2",
"product_id": "T027976",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:platform__16.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenStack Platform \u003c 17.0",
"product": {
"name": "Red Hat OpenStack Platform \u003c 17.0",
"product_id": "T027977",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:platform__17.0"
}
}
}
],
"category": "product_name",
"name": "OpenStack"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-32082",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat OpenStack in etcd. Ein entfernter, authentifizierter Angreifer kann die LeaseTimeToLive API verwenden, um vertrauliche Informationen zu erhalten."
}
],
"product_status": {
"known_affected": [
"T028111",
"T002207",
"67646",
"T028106",
"T004914"
]
},
"release_date": "2023-06-05T22:00:00.000+00:00",
"title": "CVE-2023-32082"
},
{
"cve": "CVE-2023-30861",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat OpenStack im Python Flask-Paket. Eine zwischengespeicherte Antwort kann Daten f\u00fcr einen Client enthalten. Ein Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T028111",
"T002207",
"67646",
"T028106",
"T004914"
]
},
"release_date": "2023-06-05T22:00:00.000+00:00",
"title": "CVE-2023-30861"
},
{
"cve": "CVE-2023-24536",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat OpenStack. Dieser besteht in Golang Go, durch ein Problem beim Parsen von mehrteiligen Formularen. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service zu verursachen."
}
],
"product_status": {
"known_affected": [
"T028111",
"T002207",
"67646",
"T028106",
"T004914"
]
},
"release_date": "2023-06-05T22:00:00.000+00:00",
"title": "CVE-2023-24536"
},
{
"cve": "CVE-2023-24534",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat OpenStack. Die Ursache ist ein Problem, das durch eine Speicherersch\u00f6pfung in der gemeinsamen Funktion in HTTP und MIME Header Parsing verursacht wird. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service zu verursachen."
}
],
"product_status": {
"known_affected": [
"T028111",
"T002207",
"67646",
"T028106",
"T004914"
]
},
"release_date": "2023-06-05T22:00:00.000+00:00",
"title": "CVE-2023-24534"
},
{
"cve": "CVE-2021-28235",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat OpenStack. Diese besteht in etcd aufgrund einer Schwachstelle in der Debug-Funktion in etc-io. Ein entfernter Angreifer kann diese Schwachstelle ausnutzen, um seine Rechte zu erweitern."
}
],
"product_status": {
"known_affected": [
"T028111",
"T002207",
"67646",
"T028106",
"T004914"
]
},
"release_date": "2023-06-05T22:00:00.000+00:00",
"title": "CVE-2021-28235"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…