Cross-site Request Forgery (CSRF) Affecting etcd package, versions <3.4.23-1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-ETCD-282518
- published 3 Apr 2018
- disclosed 3 Apr 2018
Introduced: 3 Apr 2018
CVE-2018-1098 Open this link in a new tabHow to fix?
Upgrade Debian:unstable etcd to version 3.4.23-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream etcd package and not the etcd package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.
References
- https://security-tracker.debian.org/tracker/CVE-2018-1098
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/
- https://github.com/coreos/etcd/issues/9353
- https://bugzilla.redhat.com/show_bug.cgi?id=1552714
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-1098
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/