Miggo Logo

CVE-2020-15113: Improper Preservation of Permissions in etcd

5.7

CVSS Score
3.1

Basic Information

EPSS Score
0.04252%
Published
1/30/2024
Updated
1/30/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/etcd-io/etcdgo>= 3.4.0-rc.0, < 3.4.103.4.10
github.com/etcd-io/etcdgo< 3.3.233.3.23

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly states that etcd uses os.MkdirAll to create directories with restricted permissions (700), but existing directories are not checked for proper permissions. The Go standard library's os.MkdirAll function is the root cause because it does not enforce permissions on pre-existing directories. While the exact etcd code paths calling os.MkdirAll are not provided in the data, the advisory confirms the improper usage occurs in the etcd package (github.com/etcd-io/etcd/pkg/fileutil) for directory creation. Thus, the vulnerable function is os.MkdirAll as used by etcd in these contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Vuln*r**ility typ* ****ss *ontrols ### **t*il *t** *r**t*s **rt*in *ir**tory p*t*s (*t** **t* *ir**tory *n* t** *ir**tory p*t* w**n provi*** to *utom*ti**lly **n*r*t* s*l*-si*n** **rti*i**t*s *or TLS *onn**tions wit* *li*nts) wit* r*stri*t** ***

Reasoning

T** vuln*r**ility *xpli*itly st*t*s t**t `*t**` us*s `os.Mk*ir*ll` to *r**t* *ir**tori*s wit* r*stri*t** p*rmissions (***), *ut *xistin* *ir**tori*s *r* not ****k** *or prop*r p*rmissions. T** *o st*n**r* li*r*ry's `os.Mk*ir*ll` *un*tion is t** root