Description
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
References (4)
Core 4
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1552717
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/coreos/etcd/issues/9353
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/
Scores
CVSS v3
5.5
EPSS
0.0051
EPSS Percentile
39.9%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (3)
fedoraproject/fedora
30
go.etcd.io/etcd
0 - 3.4.0Go
redhat/etcd
< 3.3.1
Published
Apr 03, 2018
Tracked Since
Feb 18, 2026