High severityNVD Advisory· Published Jan 14, 2019· Updated Aug 5, 2024
CVE-2018-16886
CVE-2018-16886
Description
etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
go.etcd.io/etcd/v3Go | >= 3.2.0, < 3.2.26 | 3.2.26 |
go.etcd.io/etcd/v3Go | >= 3.3.0, < 3.3.11 | 3.3.11 |
go.etcd.io/etcdGo | < 0.5.0-alpha.5.0.20190108173120-83c051b701d3 | 0.5.0-alpha.5.0.20190108173120-83c051b701d3 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/etcd-3.4pkg:apk/chainguard/etcd-3.4-bitnami-compatpkg:apk/chainguard/etcd-3.4-iamguarded-compatpkg:apk/chainguard/etcd-fips-3.4pkg:golang/go.etcd.io/etcdpkg:golang/go.etcd.io/etcd/v3pkg:rpm/opensuse/etcd&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/etcd&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/etcd&distro=openSUSE%20Tumbleweed
< 3.4.36-r1+ 8 more
- (no CPE)range: < 3.4.36-r1
- (no CPE)range: < 3.4.36-r1
- (no CPE)range: < 3.4.36-r1
- (no CPE)range: < 3.4.36-r1
- (no CPE)range: < 0.5.0-alpha.5.0.20190108173120-83c051b701d3
- (no CPE)range: >= 3.2.0, < 3.2.26
- (no CPE)range: < 3.5.12-150000.7.6.1
- (no CPE)range: < 3.5.12-150000.7.6.1
- (no CPE)range: < 3.4.16-3.1
- The etcd Project/etcd:v5Range: versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11
Patches
Vulnerability mechanics
References
16- access.redhat.com/errata/RHSA-2019:0237ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:1352ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-h6xx-pmxh-3wgpghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-16886ghsaADVISORY
- www.securityfocus.com/bid/106540ghsavdb-entryx_refsource_BIDWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.2.mdghsax_refsource_MISCWEB
- github.com/etcd-io/etcd/blob/1eee465a43720d713bb69f7b7f5e120135fdb1ac/CHANGELOG-3.3.mdghsax_refsource_MISCWEB
- github.com/etcd-io/etcd/commit/0191509637546621d6f2e18e074e955ab8ef374dghsaWEB
- github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2ghsaWEB
- github.com/etcd-io/etcd/pull/10366ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKSghsaWEB
- pkg.go.dev/vuln/GO-2021-0077ghsaWEB
News mentions
0No linked articles in our index yet.