CVE-2020-15136
CVSS V2 Medium 5.8
CVSS V3 Medium 6.5
Description
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.
Overview
- CVE ID
- CVE-2020-15136
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2020-08-06T23:15:11
- Last Modified Date
- 2021-11-18T18:31:58
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:redhat:etcd:*:*:*:*:*:*:*:* | 1 | OR | 3.3.0 | 3.3.23 |
| cpe:2.3:a:redhat:etcd:*:*:*:*:*:*:*:* | 1 | OR | 3.4.0 | 3.4.10 |
| cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:M/Au:N/C:P/I:P/A:N
- Access Vector
- NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- NONE
- Base Score
- 5.8
- Severity
- MEDIUM
- Exploitability Score
- 8.6
- Impact Score
- 4.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- HIGH
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 6.5
- Base Severity
- MEDIUM
- Exploitability Score
- 2.2
- Impact Score
- 4.2
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/etcd-io/etcd/security/advisories/GHSA-wr2v-9rpq-c35q | Third Party Advisory |
| https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md | Broken Link |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/ | Mailing List Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2020-15136 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15136 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 06:45:47 | Added to TrackCVE | |||
| 2022-12-04 20:39:12 | 2020-08-06T23:15Z | 2020-08-06T23:15:11 | CVE Published Date | updated |
| 2022-12-04 20:39:12 | 2021-11-18T18:31:58 | CVE Modified Date | updated | |
| 2022-12-04 20:39:12 | Analyzed | Vulnerability Status | updated |