CVE-2018-1098

NameCVE-2018-1098
DescriptionA cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs921156

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
etcd (PTS)buster3.2.26+dfsg-3vulnerable
bullseye3.3.25+dfsg-6vulnerable
bookworm, sid3.4.23-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
etcdsourceexperimental3.5.5-1
etcdsource(unstable)3.4.23-1low921156

Notes

[bullseye] - etcd <no-dsa> (Minor issue)
[buster] - etcd <no-dsa> (Minor issue)
https://github.com/coreos/etcd/issues/9353
https://github.com/etcd-io/etcd/pull/9372
https://bugzilla.redhat.com/show_bug.cgi?id=1552714
Search for package or bug name: Reporting problems