CVE-2020-15113
Last modified
CVE-2020-15113 is a high-severity vulnerability rated 7.1/10 on the CVSS scale. In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. EPSS estimates a 0.23% chance of exploitation in the next 30 days.
Description
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Etcd | Etcd | < 3.3.23 |
| Etcd | Etcd | >= 3.4.0, < 3.4.10 |
| Fedoraproject | Fedora | 32 |
References
- https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92Third Party Advisory
- https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-15113?
How severe is CVE-2020-15113?
How do I fix CVE-2020-15113?
Are you affected by CVE-2020-15113?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST