Bitnami package
etcd
pkg:bitnami/etcd
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44283 | Non | 0.0 | < 3.4.44 | 3.4.44 | May 14, 2026 | etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authe | |
| CVE-2026-33413 | — | < 3.4.42 | 3.4.42 | Mar 26, 2026 | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or parti | ||
| CVE-2026-33343 | — | < 3.4.42 | 3.4.42 | Mar 26, 2026 | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authent | ||
| CVE-2022-34038 | — | >= 3.5.4, < 3.5.5 | 3.5.5 | Aug 22, 2023 | Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: the vendor's position is that this is not a vulnerability. | ||
| CVE-2023-32082 | — | < 3.4.26 | 3.4.26 | May 11, 2023 | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys | ||
| CVE-2021-28235 | — | >= 3.4.10, < 3.4.11 | 3.4.11 | Apr 4, 2023 | Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function. | ||
| CVE-2020-15112 | — | < 3.3.23 | 3.3.23 | Aug 5, 2020 | In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go do | ||
| CVE-2020-15113 | — | < 3.3.23 | 3.3.23 | Aug 5, 2020 | In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.M | ||
| CVE-2020-15106 | — | < 3.3.23 | 3.3.23 | Aug 5, 2020 | In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that |
- affected < 3.4.44fixed 3.4.44
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authe
- CVE-2026-33413Mar 26, 2026affected < 3.4.42fixed 3.4.42
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or parti
- CVE-2026-33343Mar 26, 2026affected < 3.4.42fixed 3.4.42
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authent
- CVE-2022-34038Aug 22, 2023affected >= 3.5.4, < 3.5.5fixed 3.5.5
Etcd v3.5.4 allows remote attackers to cause a denial of service via function PageWriter.write in pagewriter.go. NOTE: the vendor's position is that this is not a vulnerability.
- CVE-2023-32082May 11, 2023affected < 3.4.26fixed 3.4.26
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys
- CVE-2021-28235Apr 4, 2023affected >= 3.4.10, < 3.4.11fixed 3.4.11
Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.
- CVE-2020-15112Aug 5, 2020affected < 3.3.23fixed 3.3.23
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go do
- CVE-2020-15113Aug 5, 2020affected < 3.3.23fixed 3.3.23
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.M
- CVE-2020-15106Aug 5, 2020affected < 3.3.23fixed 3.3.23
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that