CVE-2018-1098

Name of the Vulnerable Software and Affected Versions etcd versions 3.3.1 and earlier

Description A cross-site request forgery flaw was found, allowing an attacker to set up a website that tries to send a POST request to the etcd server and modify a key. Since adding a key is done with PUT, it is theoretically safe, but POST allows creating in-order keys that an attacker can send.

Recommendations For etcd versions 3.3.1 and earlier, consider disabling the POST request functionality to the etcd server as a temporary workaround until a patch is available. Restrict access to the etcd server to minimize the risk of exploitation. Avoid using the POST method in the affected API endpoint until the issue is resolved.