Improper Preservation of Permissions in etcd
Description
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/etcd-io/etcdGo | >= 3.4.0-rc.0, < 3.4.10 | 3.4.10 |
github.com/etcd-io/etcdGo | < 3.3.23 | 3.3.23 |
Affected products
1Patches
2e5424fc474b2pkg: Fix dir permission check on Windows
3 files changed · +10 −2
pkg/fileutil/dir_unix.go+5 −0 modified@@ -18,5 +18,10 @@ package fileutil import "os" +const ( + // PrivateDirMode grants owner to make/remove files inside the directory. + PrivateDirMode = 0700 +) + // OpenDir opens a directory for syncing. func OpenDir(path string) (*os.File, error) { return os.Open(path) }
pkg/fileutil/dir_windows.go+5 −0 modified@@ -21,6 +21,11 @@ import ( "syscall" ) +const ( + // PrivateDirMode grants owner to make/remove files inside the directory. + PrivateDirMode = 0777 +) + // OpenDir opens a directory in windows with write access for syncing. func OpenDir(path string) (*os.File, error) { fd, err := openDir(path)
pkg/fileutil/fileutil.go+0 −2 modified@@ -27,8 +27,6 @@ import ( const ( // PrivateFileMode grants owner to read/write a file. PrivateFileMode = 0600 - // PrivateDirMode grants owner to make/remove files inside the directory. - PrivateDirMode = 0700 ) var plog = capnslog.NewPackageLogger("go.etcd.io/etcd", "pkg/fileutil")
6be5c54c9429pkg: Fix dir permission check on Windows
3 files changed · +10 −2
pkg/fileutil/dir_unix.go+5 −0 modified@@ -18,5 +18,10 @@ package fileutil import "os" +const ( + // PrivateDirMode grants owner to make/remove files inside the directory. + PrivateDirMode = 0700 +) + // OpenDir opens a directory for syncing. func OpenDir(path string) (*os.File, error) { return os.Open(path) }
pkg/fileutil/dir_windows.go+5 −0 modified@@ -21,6 +21,11 @@ import ( "syscall" ) +const ( + // PrivateDirMode grants owner to make/remove files inside the directory. + PrivateDirMode = 0777 +) + // OpenDir opens a directory in windows with write access for syncing. func OpenDir(path string) (*os.File, error) { fd, err := openDir(path)
pkg/fileutil/fileutil.go+0 −2 modified@@ -29,8 +29,6 @@ import ( const ( // PrivateFileMode grants owner to read/write a file. PrivateFileMode = 0600 - // PrivateDirMode grants owner to make/remove files inside the directory. - PrivateDirMode = 0700 ) var (
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-chh6-ppwq-jh92ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-15113ghsaADVISORY
- github.com/etcd-io/etcd/commit/6be5c54c94298ae6746a574d2af8227d0c9a998bghsaWEB
- github.com/etcd-io/etcd/commit/e5424fc474b274c9e6b5205165015bc2035745f2ghsaWEB
- github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92ghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMPghsaWEB
News mentions
0No linked articles in our index yet.