GHSA-vjg6-93fv-qv64

Source

https://github.com/advisories/GHSA-vjg6-93fv-qv64

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-vjg6-93fv-qv64/GHSA-vjg6-93fv-qv64.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vjg6-93fv-qv64

Aliases

GO-2024-2530

Related

CGA-7c9r-wr9x-8v5w

Published

2024-02-03T00:03:09Z

Modified

2024-07-08T20:02:46Z

Summary

Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only

Details

Vulnerability type

Logging

Detail

etcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be misleading when auditing etcd logs.

References

Find out more on this vulnerability in the security audit report

For more information

If you have any questions or comments about this advisory: * Contact the etcd security committee

References

Affected packages

Go / go.etcd.io/etcd/v3

Package

Name: go.etcd.io/etcd/v3; View open source insights on deps.dev
Purl: pkg:golang/go.etcd.io/etcd/v3

Affected ranges

Type: SEMVER
Events: Introduced

3.4.0-rc.0

Fixed

3.4.10

Database specific

{
    "last_known_affected_version_range": "<= 3.4.9"
}

Go / go.etcd.io/etcd/v3

Package

Name: go.etcd.io/etcd/v3; View open source insights on deps.dev
Purl: pkg:golang/go.etcd.io/etcd/v3

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.23