5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15113

GHSA ID

GHSA-chh6-ppwq-jh92

EPSS Score

0.04252%

CWE

CWE-281

Published

1/30/2024

Updated

1/30/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15113

CVE-2020-15113: Improper Preservation of Permissions in etcd

Vulnerability type

Access Controls

Detail

etcd creates certain directory paths (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already.

Specific Go Package Affected

github.com/etcd-io/etcd/pkg/fileutil

Workarounds

Make sure these directories have the desired permit (700).

References

Find out more on this vulnerability in the security audit report

For more information

If you have any questions or comments about this advisory:

Contact the etcd security committee

(GitHub Advisory)

5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15113

GHSA ID

GHSA-chh6-ppwq-jh92

EPSS Score

0.04252%

CWE

CWE-281

Published

1/30/2024

Updated

1/30/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/etcd-io/etcd	go	>= 3.4.0-rc.0, < 3.4.10	3.4.10
github.com/etcd-io/etcd	go	< 3.3.23	3.3.23

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly states that etcd uses os.MkdirAll to create directories with restricted permissions (700), but existing directories are not checked for proper permissions. The Go standard library's os.MkdirAll function is the root cause because it does not enforce permissions on pre-existing directories. While the exact etcd code paths calling os.MkdirAll are not provided in the data, the advisory confirms the improper usage occurs in the etcd package (github.com/etcd-io/etcd/pkg/fileutil) for directory creation. Thus, the vulnerable function is os.MkdirAll as used by etcd in these contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Vuln*r**ility typ* ****ss *ontrols ### **t*il *t** *r**t*s **rt*in *ir**tory p*t*s (*t** **t* *ir**tory *n* t** *ir**tory p*t* w**n provi*** to *utom*ti**lly **n*r*t* s*l*-si*n** **rti*i**t*s *or TLS *onn**tions wit* *li*nts) wit* r*stri*t** ***

Reasoning

T** vuln*r**ility *xpli*itly st*t*s t**t `*t**` us*s `os.Mk*ir*ll` to *r**t* *ir**tori*s wit* r*stri*t** p*rmissions (***), *ut *xistin* *ir**tori*s *r* not ****k** *or prop*r p*rmissions. T** *o st*n**r* li*r*ry's `os.Mk*ir*ll` *un*tion is t** root

5.7

Basic Information

Concerned about an active attack path?

CVE-2020-15113: Improper Preservation of Permissions in etcd

Vulnerability type

Detail

Specific Go Package Affected

Workarounds

References

For more information

5.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI