CVE-2020-15136— etcd 访问控制错误漏洞

Improper authentication in etcd

In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

认证机制不恰当

etcd 访问控制错误漏洞

etcd是一套使用Go语言编写的用于分布式系统的键值存储系统。 etcd 3.4.10之前版本和3.3.23之前版本中存在访问控制错误漏洞。该漏洞源于网络系统或产品中缺少身份验证措施或身份验证强度不足。

N/A

N/A