CVE-2020-15136

In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the –endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Etcd	Redhat	3.3.0 (including)	3.3.23 (excluding)
Etcd	Redhat	3.4.0 (including)	3.4.10 (excluding)
Red Hat OpenShift Container Platform 4.8	RedHat	openshift4/ose-etcd:v4.8.0-202106152230.p0.git.aefa6bf.assembly.stream	*
Red Hat OpenStack Platform 16.1	RedHat	etcd-0:3.3.23-1.el8ost	*
Etcd	Ubuntu	bionic	*
Etcd	Ubuntu	focal	*
Etcd	Ubuntu	groovy	*
Etcd	Ubuntu	hirsute	*
Etcd	Ubuntu	impish	*
Etcd	Ubuntu	kinetic	*
Etcd	Ubuntu	lunar	*
Etcd	Ubuntu	mantic	*
Etcd	Ubuntu	oracular	*
Etcd	Ubuntu	plucky	*
Etcd	Ubuntu	trusty	*
Etcd	Ubuntu	upstream	*
Etcd	Ubuntu	xenial	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-15136
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

References

CVE-2020-15136

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References