Miggo Logo

CVE-2020-15114: Etcd Gateway can include itself as an endpoint resulting in resource exhaustion

7.7

CVSS Score
3.1

Basic Information

EPSS Score
0.30229%
Published
1/31/2024
Updated
1/31/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
go.etcd.io/etcdgo>= 3.4.0-rc.0, <= 3.4.93.4.10
go.etcd.io/etcdgo< 3.3.233.3.23

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing validation when configuring gateway endpoints. From the advisory description, we infer that:

  1. Endpoint update/processing functions lacked self-reference checks
  2. Gateway initialization accepted invalid endpoint configurations While exact patch details are unavailable, these functions represent the most likely locations for missing validation based on:
  • The vulnerability's nature (endpoint list poisoning)
  • etcd's gateway architecture
  • Common patterns in TCP proxy implementations Confidence is medium due to inference from vulnerability description rather than direct patch analysis

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Vuln*r**ility typ* **ni*l o* S*rvi** ### **t*il T** *t** **t*w*y is * simpl* T*P proxy to *llow *or **si* s*rvi** *is*ov*ry *n* ****ss. *ow*v*r, it is possi*l* to in*lu** t** **t*w*y ***r*ss *s *n *n*point. T*is r*sults in * **ni*l o* s*rvi**, s

Reasoning

T** vuln*r**ility st*ms *rom missin* v*li**tion w**n *on*i*urin* **t*w*y *n*points. *rom t** **visory **s*ription, w* in**r t**t: *. *n*point up**t*/pro**ssin* *un*tions l**k** s*l*-r***r*n** ****ks *. **t*w*y initi*liz*tion ****pt** inv*li* *n*point