Cross-site Request Forgery (CSRF) Affecting go.etcd.io/etcd/v3/etcdserver Open this link in a new tab package, versions <3.4.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
26 Apr 2018
25 Feb 2018
How to fix?
go.etcd.io/etcd/v3/etcdserver to version 3.4.0 or higher.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.