Low severityNVD Advisory· Published Aug 5, 2020· Updated Aug 4, 2024
Improper Input Validation in etcd
CVE-2020-15106
Description
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
go.etcd.io/etcdGo | < 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4 | 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4 |
Affected products
26- osv-coords25 versionspkg:apk/chainguard/dgraphpkg:apk/chainguard/etcd-3.4pkg:apk/chainguard/etcd-3.4-bitnami-compatpkg:apk/chainguard/etcd-3.4-iamguarded-compatpkg:apk/chainguard/etcd-fips-3.4pkg:apk/chainguard/py3.10-etcdpkg:apk/chainguard/py3.11-etcdpkg:apk/chainguard/py3.12-etcdpkg:apk/chainguard/py3.13-etcdpkg:apk/chainguard/py3-etcdpkg:apk/chainguard/py3-supported-etcdpkg:apk/wolfi/dgraphpkg:apk/wolfi/py3.10-etcdpkg:apk/wolfi/py3.11-etcdpkg:apk/wolfi/py3.12-etcdpkg:apk/wolfi/py3.13-etcdpkg:apk/wolfi/py3-etcdpkg:apk/wolfi/py3-supported-etcdpkg:bitnami/etcdpkg:golang/go.etcd.io/etcdpkg:rpm/opensuse/etcd&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/etcd&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/etcd&distro=openSUSE%20Tumbleweedpkg:rpm/suse/etcd&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/kubernetes&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1
< 23.1.0-r6+ 24 more
- (no CPE)range: < 23.1.0-r6
- (no CPE)range: < 3.4.36-r1
- (no CPE)range: < 3.4.36-r1
- (no CPE)range: < 3.4.36-r1
- (no CPE)range: < 3.4.36-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 23.1.0-r6
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.3.23
- (no CPE)range: < 0.5.0-alpha.5.0.20200423152442-f4b650b51dc4
- (no CPE)range: < 3.5.12-150000.7.6.1
- (no CPE)range: < 3.5.12-150000.7.6.1
- (no CPE)range: < 3.4.16-3.1
- (no CPE)range: < 3.5.12-bp156.4.3.1
- (no CPE)range: < 1.17.13-4.21.2
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-p4g4-wgrh-qrg2ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-15106ghsaADVISORY
- github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdfghsaWEB
- github.com/etcd-io/etcd/commit/4571e528f49625d3de3170f219a45c3b3d38c675ghsaWEB
- github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07ghsaWEB
- github.com/etcd-io/etcd/pull/11793ghsaWEB
- github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2ghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMPghsaWEB
- pkg.go.dev/vuln/GO-2020-0005ghsaWEB
News mentions
0No linked articles in our index yet.