OESA-2025-1170
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1170
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2025-1170.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2025-1170
- Upstream
- Published
- 2025-02-21T13:37:12Z
- Modified
- 2025-08-12T05:35:01.013388Z
- Summary
- etcd security update
- Details
-
%{expand:
Security Fix(es):
Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.(CVE-2021-28235)
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.(CVE-2022-3064)
Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: the vendor's position is that this is not a vulnerability.(CVE-2022-34038)
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723)
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when
Keysparameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.(CVE-2023-32082) - Database specific
{ "severity": "Critical" }- References
-
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1170
- https://nvd.nist.gov/vuln/detail/CVE-2021-28235
- https://nvd.nist.gov/vuln/detail/CVE-2022-3064
- https://nvd.nist.gov/vuln/detail/CVE-2022-34038
- https://nvd.nist.gov/vuln/detail/CVE-2022-41723
- https://nvd.nist.gov/vuln/detail/CVE-2023-32082