CVE-2020-15113 : Security Advisory and Response
Learn about CVE-2020-15113, an improper preservation of permissions vulnerability in etcd versions < 3.3.23 and < 3.4.10. Understand the impact, affected systems, and mitigation steps.
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created with restricted access permissions, leading to an improper preservation of permissions vulnerability.
Understanding CVE-2020-15113
This CVE involves the improper preservation of permissions in etcd, affecting versions prior to 3.3.23 and 3.4.10.
What is CVE-2020-15113?
CVE-2020-15113 is a vulnerability in etcd that allows certain directory paths to be created with restricted access permissions, potentially leading to unauthorized access.
The Impact of CVE-2020-15113
- CVSS Base Score: 5.7 (Medium)
- Attack Vector: Local
- Confidentiality Impact: High
- Integrity Impact: High
- Privileges Required: High
Technical Details of CVE-2020-15113
This section provides detailed technical information about the vulnerability.
Vulnerability Description
The issue arises from the creation of directory paths with restricted access permissions using os.MkdirAll, which lacks permission checks, potentially allowing unauthorized access.
Affected Systems and Versions
- Affected Product: etcd
- Vendor: etcd-io
- Vulnerable Versions:
- < 3.3.23
- < 3.4.10
Exploitation Mechanism
The vulnerability can be exploited by attackers to gain unauthorized access to sensitive directory paths due to the improper permission settings.
Mitigation and Prevention
Protect your systems from CVE-2020-15113 with the following steps:
Immediate Steps to Take
- Ensure directories have the desired permission (700) to restrict unauthorized access.
Long-Term Security Practices
- Regularly review and update directory permissions to prevent similar vulnerabilities.
Patching and Updates
- Update etcd to versions 3.3.23 or 3.4.10 to mitigate the vulnerability.