CVE-2023-32082

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions etcd versions prior to 3.4.26 and prior to 3.5.9

Description The issue is related to insufficient protection of service data in etcd, a distributed key-value store. The LeaseTimeToLive API allows access to key names associated with a lease when the Keys parameter is true, even if a user does not have read permission to the keys. This issue is limited to clusters that enable authentication (RBAC).

Recommendations For versions prior to 3.4.26, update to version 3.4.26 or later. For versions prior to 3.5.9, update to version 3.5.9 or later. As a temporary workaround, consider disabling the LeaseTimeToLive API or restricting access to it until a patch is applied. Restrict access to the Keys parameter in the LeaseTimeToLive API to minimize the risk of exploitation.

Exploit

Fix

DoS

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2023-1897

ALT-PU-2023-1930

ALT-PU-2023-1931

ALT-PU-2023-2072

AZL-26666

BDU:2025-01413

BIT-ETCD-2023-32082

CVE-2023-32082

GHSA-3P4G-RCW5-8298

OESA-2025-1168

OESA-2025-1169

OESA-2025-1170

RHSA-2023:3441

Affected Products

Alt Linux

Debian

Red Os

Etcd

CVE-2023-32082

Weakness Enumeration

Related Identifiers

Affected Products

References · 35