Yoni Rozenshein

**Name of the Vulnerable Software and Affected Versions** etcd versions prior to 3.4.26 and prior to 3.5.9 **Description** The issue is related to insufficient protection of service data in etcd, a distributed key-value store. The LeaseTimeToLive API allows access to key names associated with a lease when the `Keys` parameter is true, even if a user does not have read permission to the keys. This issue is limited to clusters that enable authentication (RBAC). **Recommendations** For versions prior to 3.4.26, update to version 3.4.26 or later. For versions prior to 3.5.9, update to version 3.5.9 or later. As a temporary workaround, consider disabling the LeaseTimeToLive API or restricting access to it until a patch is applied. Restrict access to the `Keys` parameter in the LeaseTimeToLive API to minimize the risk of exploitation.