CVE-2023-32082

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-32082

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-32082.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-32082

Aliases

Related

Published

2023-05-11T20:15:09Z

Modified

2024-10-12T10:55:32.386728Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

References

Affected packages

Debian:11 / etcd

Package

Name: etcd
Purl: pkg:deb/debian/etcd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.25+dfsg-6

3.3.25+dfsg-7

3.3.25+dfsg-8

3.4.23-1

3.4.23-2

3.4.23-3

3.4.23-4

3.4.23-5

3.4.23-6

3.4.30-1

3.4.30-2

3.4.30-3

3.5.5-1

3.5.15-1

3.5.15-2

3.5.15-3

3.5.15-4

3.5.15-5

3.5.15-6

3.5.15-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / etcd

Package

Name: etcd
Purl: pkg:deb/debian/etcd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.4.23-4

3.4.23-5

3.4.23-6

3.4.30-1

3.4.30-2

3.4.30-3

3.5.5-1

3.5.15-1

3.5.15-2

3.5.15-3

3.5.15-4

3.5.15-5

3.5.15-6

3.5.15-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / etcd

Package

Name: etcd
Purl: pkg:deb/debian/etcd?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.30-1

Affected versions

3.*

3.4.23-4

3.4.23-5

3.4.23-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/etcd-io/etcd

Affected ranges

Type: GIT
Repo: https://github.com/etcd-io/etcd
Events: Introduced

946a5a6f25c3b6b89408ab447852731bde6e6289

Fixed

bdbbde998b7ed434b23676530d10dbd601c4a7c0

Affected versions

api/v3.*

api/v3.5.0

api/v3.5.1

api/v3.5.2

api/v3.5.3

api/v3.5.4

api/v3.5.5

api/v3.5.6

api/v3.5.7

api/v3.5.8

client/pkg/v3.*

client/pkg/v3.5.0

client/pkg/v3.5.1

client/pkg/v3.5.2

client/pkg/v3.5.3

client/pkg/v3.5.4

client/pkg/v3.5.5

client/pkg/v3.5.6

client/pkg/v3.5.7

client/pkg/v3.5.8

client/v2.*

client/v2.305.0

client/v2.305.1

client/v2.305.2

client/v2.305.3

client/v2.305.4

client/v2.305.5

client/v2.305.6

client/v2.305.7

client/v2.305.8

client/v3.*

client/v3.5.0

client/v3.5.1

client/v3.5.2

client/v3.5.3

client/v3.5.4

client/v3.5.5

client/v3.5.6

client/v3.5.7

client/v3.5.8

etcdctl/v3.*

etcdctl/v3.5.0

etcdctl/v3.5.1

etcdctl/v3.5.2

etcdctl/v3.5.3

etcdctl/v3.5.4

etcdctl/v3.5.5

etcdctl/v3.5.6

etcdctl/v3.5.7

etcdctl/v3.5.8

etcdutl/v3.*

etcdutl/v3.5.0

etcdutl/v3.5.1

etcdutl/v3.5.2

etcdutl/v3.5.3

etcdutl/v3.5.4

etcdutl/v3.5.5

etcdutl/v3.5.6

etcdutl/v3.5.7

etcdutl/v3.5.8

pkg/v3.*

pkg/v3.5.0

pkg/v3.5.1

pkg/v3.5.2

pkg/v3.5.3

pkg/v3.5.4

pkg/v3.5.5

pkg/v3.5.6

pkg/v3.5.7

pkg/v3.5.8

raft/v3.*

raft/v3.5.0

raft/v3.5.1

raft/v3.5.2

raft/v3.5.3

raft/v3.5.4

raft/v3.5.5

raft/v3.5.6

raft/v3.5.7

raft/v3.5.8

server/v3.*

server/v3.5.0

server/v3.5.1

server/v3.5.2

server/v3.5.3

server/v3.5.4

server/v3.5.5

server/v3.5.6

server/v3.5.7

server/v3.5.8

tests/v3.*

tests/v3.5.0

tests/v3.5.1

tests/v3.5.2

tests/v3.5.3

tests/v3.5.4

tests/v3.5.5

tests/v3.5.6

tests/v3.5.7

tests/v3.5.8

v3.*

v3.5.0

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.5.5

v3.5.6

v3.5.7

v3.5.8