CVE-2023-32082 LOW

CVE-2023-32082: etcd key name can be accessed via LeaseTimeToLive API

Vendor Etcd-Io
Product etcd
Weakness CWE-200 · Info exposure
Published May 11, 2023
Last update January 24, 2025

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds.

Key dates

02Disclosure timeline

May 11, 2023 CVE published
January 24, 2025 Record updated