Vulnerability Report: GO-2021-0077

CVE-2018-16886, GHSA-h6xx-pmxh-3wgp
Affects: go.etcd.io/etcd
Published: Apr 14, 2021
Modified: May 20, 2024

A user can use a valid client certificate that contains a CommonName that matches a valid RBAC username to authenticate themselves as that user, despite lacking the required credentials. This may allow authentication bypass, but requires a certificate that is issued by a CA trusted by the server.

Affected Packages

Path

Go Versions

Symbols
go.etcd.io/etcd/auth

before v0.5.0-alpha.5.0.20190108173120-83c051b701d3
1 unexported affected symbols
- authStore.AuthInfoFromTLS

Aliases

CVE-2018-16886
GHSA-h6xx-pmxh-3wgp

References

https://github.com/etcd-io/etcd/pull/10366
https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2
https://vuln.go.dev/ID/GO-2021-0077.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL