3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-32082

CVE-2023-32082: etcd Key name can be accessed via LeaseTimeToLive API

Impact

LeaseTimeToLive API allows access to key names (not value) associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC).

Patches

< v3.4.26 and < v3.5.9 are affected.

Workarounds

No.

Reporter

Yoni Rozenshein

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-32082

CVE-2023-32082:

3.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/etcd-io/etcd	go	< 3.4.26	3.4.26
github.com/etcd-io/etcd	go	>= 3.5.0, < 3.5.9	3.5.9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the LeaseTimeToLive API endpoint not enforcing RBAC checks on key names when returning lease-associated keys. The GitHub PR #15656 explicitly shows added permission checks in the LeaseTimeToLive handler, confirming the function was missing authorization validation for key enumeration. The CHANGELOG entries for the patched versions (3.4.26/3.5.9) directly reference this fix, and the CWE-200 classification aligns with unauthorized information exposure through this endpoint.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-32082: etcd Key name can be accessed via LeaseTimeToLive API

Impact

Patches

Workarounds

Reporter

CVE-2023-32082:

3.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

3.1

3.1

CVE-2023-32082: etcd Key name can be accessed via LeaseTimeToLive API

Impact

Patches

Workarounds

Reporter

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI