CVE-2020-15112 – go.etcd.io/etcd/v3

Package

Manager: go
Name: go.etcd.io/etcd/v3
Vulnerable Version: >=0 <3.3.23 || >=3.4.0 <3.4.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00102 pctl0.28745

Details

etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic ### Vulnerability type Data Validation ### Detail In the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md)

Metadata

Created: 2022-10-06T23:03:57Z
Modified: 2022-10-06T23:03:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-m332-53r6-2w93/GHSA-m332-53r6-2w93.json
CWE IDs: ["CWE-129", "CWE-20"]
Alternative ID: GHSA-m332-53r6-2w93
Finding: F184
Auto approve: 1