CVE Vulnerabilities

CVE-2020-15113

Improper Preservation of Permissions

Published: Aug 05, 2020 | Modified: Nov 07, 2023
CVSS 3.x
7.1
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
3.6 LOW
AV:L/AC:L/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
7.1 MODERATE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Ubuntu
MEDIUM

In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).

Weakness

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Affected Software

Name Vendor Start Version End Version
Etcd Etcd * 3.3.23 (excluding)
Etcd Etcd 3.4.0 (including) 3.4.10 (excluding)
Red Hat OpenShift Container Platform 4.8 RedHat openshift4/ose-etcd:v4.8.0-202106152230.p0.git.aefa6bf.assembly.stream *
Red Hat OpenStack Platform 16.1 RedHat etcd-0:3.3.23-1.el8ost *
Etcd Ubuntu bionic *
Etcd Ubuntu devel *
Etcd Ubuntu esm-apps/bionic *
Etcd Ubuntu esm-apps/jammy *
Etcd Ubuntu esm-apps/noble *
Etcd Ubuntu esm-apps/xenial *
Etcd Ubuntu focal *
Etcd Ubuntu groovy *
Etcd Ubuntu hirsute *
Etcd Ubuntu impish *
Etcd Ubuntu jammy *
Etcd Ubuntu kinetic *
Etcd Ubuntu lunar *
Etcd Ubuntu mantic *
Etcd Ubuntu noble *
Etcd Ubuntu oracular *
Etcd Ubuntu trusty *
Etcd Ubuntu upstream *
Etcd Ubuntu xenial *

References