CVE-2020-15113: Improper Preservation of Permissions in etcd
5.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.04252%
CWE
Published
1/30/2024
Updated
1/30/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/etcd-io/etcd | go | >= 3.4.0-rc.0, < 3.4.10 | 3.4.10 |
github.com/etcd-io/etcd | go | < 3.3.23 | 3.3.23 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly states that etcd
uses os.MkdirAll
to create directories with restricted permissions (700), but existing directories are not checked for proper permissions. The Go standard library's os.MkdirAll
function is the root cause because it does not enforce permissions on pre-existing directories. While the exact etcd
code paths calling os.MkdirAll
are not provided in the data, the advisory confirms the improper usage occurs in the etcd
package (github.com/etcd-io/etcd/pkg/fileutil
) for directory creation. Thus, the vulnerable function is os.MkdirAll
as used by etcd
in these contexts.