Improper Authentication Affecting Open this link in a new tab package, versions >=3.2.0 <3.2.26 >=3.3.0 <3.3.11

  • Attack Complexity


  • User Interaction


  • Confidentiality


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    16 Jan 2019

  • disclosed

    3 Jan 2019

  • credit

    Matt Wheeler

How to fix?

Upgrade to version 3.2.26, 3.3.11 or higher.


Affected versions of this package are vulnerable to Improper Authentication. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.

Note: This is possible only when role-based access control (RBAC) is used and client-cert-auth is enabled.