CVE-2020-15113

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.7 MEDIUM
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Affected Products (NVD)
VendorProductVersion
etcdetcd
𝑥
< 3.3.23
etcdetcd
3.4.0 ≤
𝑥
< 3.4.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
etcd
bookworm
3.4.23-4
fixed
bullseye
3.3.25+dfsg-6
fixed
buster
no-dsa
sid
3.5.16-3
fixed
trixie
3.5.15-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
etcd
bionic
Fixed 3.2.17+dfsg-1ubuntu0.1+esm1
released
focal
Fixed 3.2.26+dfsg-6ubuntu0.1
released
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needed
trusty
dne
xenial
needed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
etcd
CBL-Mariner 2.0
0:3.5.0-3.cm2
fixed