Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
etcd: Nested etcd transactions bypass RBAC authorization checks
Vulnerability Description
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
etcd 安全漏洞
Vulnerability Description
etcd是etcd-io开源的一套使用Go语言编写的用于分布式系统的键值存储系统。 etcd 3.4.42之前版本、3.5.28之前版本和3.6.9之前版本存在安全漏洞,该漏洞源于嵌套事务可绕过密钥范围授权,可能导致未经授权的数据访问。
CVSS Information
N/A
Vulnerability Type
N/A