CVE-2020-15136

Name of the Vulnerable Software and Affected Versions etcd versions prior to 3.4.10 etcd versions prior to 3.3.23

Description The issue concerns the gateway TLS authentication in etcd, which is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain. No authentication is performed against endpoints provided in the --endpoints flag. This occurs in the discoverEndpoints function.

Recommendations For etcd versions prior to 3.4.10, update to version 3.4.10 or later to resolve the issue. For etcd versions prior to 3.3.23, update to version 3.3.23 or later to resolve the issue. As a temporary workaround, consider restricting the use of the --endpoints flag until a patch is applied, and rely on endpoints identified in DNS SRV records for TLS authentication. Refer to the etcd gateway documentation for more information on secure configuration and endpoint validation.