CVE-2020-15136 Information

Description

In ectd before versions 3.4.10 and 3.3.23 gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the –endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Reference

https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md https://github.com/etcd-io/etcd/security/advisories/GHSA-wr2v-9rpq-c35q

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

LOW

Base Score

NONE

Base Severity

6.5