GMS-2022-5095: etcd vulnerable to TOCTOU of gateway endpoint authentication

October 6, 2022

The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation.

Detail

The gateway only authenticates endpoints detected from DNS SRV records, and it only authenticates the detected endpoints once.

References

github.com/advisories/GHSA-h8g9-6gvh-5mrc
github.com/etcd-io/etcd/security/advisories/GHSA-h8g9-6gvh-5mrc

Detect and mitigate GMS-2022-5095 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →