CVE-2020-15106 – go.etcd.io/etcd

Package

Manager: go
Name: go.etcd.io/etcd
Vulnerable Version: >=0 <0.5.0-alpha.5.0.20200423152442-f4b650b51dc4

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00095 pctl0.2745

Details

Panic due to malformed WALs in go.etcd.io/etcd ### Vulnerability type Data Validation ### Detail The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL. ### Specific Go Packages Affected github.com/etcd-io/etcd/wal ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)

Metadata

Created: 2023-02-07T22:59:30Z
Modified: 2023-10-02T13:55:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-p4g4-wgrh-qrg2/GHSA-p4g4-wgrh-qrg2.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-p4g4-wgrh-qrg2
Finding: F184
Auto approve: 1