CVE-2023-32082

Exposure of Sensitive Information to an Unauthorized Actor in go/github.com/etcd-io/etcd

Identifiers

GHSA-3p4g-rcw5-8298, CVE-2023-32082

Package Slug

go/github.com/etcd-io/etcd

Vulnerability

Exposure of Sensitive Information to an Unauthorized Actor

Description

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when Keys parameter is true, even a user does not have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

Affected Versions

All versions before 3.4.26, all versions starting from 3.5.0 before 3.5.9

Solution

Upgrade to versions 3.4.26, 3.5.9 or above.

Last Modified

2023-05-15

source