CVE-2020-15114: Etcd Gateway can include itself as an endpoint resulting in resource exhaustion
7.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30229%
CWE
Published
1/31/2024
Updated
1/31/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
go.etcd.io/etcd | go | >= 3.4.0-rc.0, <= 3.4.9 | 3.4.10 |
go.etcd.io/etcd | go | < 3.3.23 | 3.3.23 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing validation when configuring gateway endpoints. From the advisory description, we infer that:
- Endpoint update/processing functions lacked self-reference checks
- Gateway initialization accepted invalid endpoint configurations While exact patch details are unavailable, these functions represent the most likely locations for missing validation based on:
- The vulnerability's nature (endpoint list poisoning)
- etcd's gateway architecture
- Common patterns in TCP proxy implementations Confidence is medium due to inference from vulnerability description rather than direct patch analysis