CVE-2018-1098

A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.

Database specific

{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "last_affected": "30"
                }
            ],
            "source": "CPE_FIELD",
            "vendor_product": "fedoraproject:fedora"
        }
    ]
}

References

Affected packages

Git / github.com/etcd-io/etcd

Affected ranges

Type

GIT

Repo

https://github.com/etcd-io/etcd

Events

Introduced

Last affected

28f3f26c0e303392556035b694f75768d449d33d

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.3.1"
        }
    ],
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:redhat:etcd:*:*:*:*:*:*:*:*"
}

Affected versions

Other

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.2.0

v0.2.0-rc1

v0.2.0-rc2

v0.2.0-rc3

v0.2.0-rc4

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.5.0-alpha.0

v0.5.0-alpha.1

v0.5.0-alpha.2

v0.5.0-alpha.3

v0.5.0-alpha.4

v0.5.0-alpha.5

v2.*

v2.0.0

v2.0.0-rc.1

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.1.0

v2.1.0-alpha.0

v2.1.0-alpha.1

v2.1.0-rc.0

v2.1.1

v2.2.0

v2.2.0-alpha.0

v2.2.0-alpha.1

v2.2.0-rc.0

v2.3.0

v2.3.0-alpha.0

v2.3.0-alpha.1

v3.*

v3.0.0-beta.0

v3.1.0-alpha.0

v3.1.0-alpha.1

v3.1.0-rc.0

v3.1.0-rc.1

v3.2.0+git

v3.2.0-rc.0

v3.2.0-rc.1

v3.2.0_plus_git

v3.2.10_plus_git

v3.3.0

v3.3.0-rc.0

v3.3.0-rc.1

v3.3.0-rc.2

v3.3.0-rc.3

v3.3.0-rc.4

v3.3.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1098.json"