Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:golang/go.etcd.io/etcd/v3@3.4.10
Typegolang
Namespacego.etcd.io/etcd
Namev3
Version3.4.10
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version3.4.42
Latest_non_vulnerable_version3.6.9
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-9jzm-m7bx-akdg
vulnerability_id VCID-9jzm-m7bx-akdg
summary 
etcd vulnerable to TOCTOU of gateway endpoint authentication
### Vulnerability type
Authentication

### Workarounds
Refer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. 

### Detail
The gateway only authenticates endpoints detected from DNS SRV records, and it only authenticates the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.

### References
Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)

### For more information
If you have any questions or comments about this advisory:
* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)
references
0
reference_url https://github.com/etcd-io/etcd
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd
1
reference_url https://github.com/etcd-io/etcd/security/advisories/GHSA-h8g9-6gvh-5mrc
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd/security/advisories/GHSA-h8g9-6gvh-5mrc
fixed_packages
0
url pkg:golang/go.etcd.io/etcd/v3@3.3.23
purl pkg:golang/go.etcd.io/etcd/v3@3.3.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23
1
url pkg:golang/go.etcd.io/etcd/v3@3.4.10
purl pkg:golang/go.etcd.io/etcd/v3@3.4.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10
aliases GHSA-h8g9-6gvh-5mrc
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9jzm-m7bx-akdg
1
url VCID-hk71-s5jq-7fhz
vulnerability_id VCID-hk71-s5jq-7fhz
summary 
Etcd Gateway TLS endpoint validation only confirms TCP reachability
### Vulnerability type
Cryptography

### Workarounds
Refer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. 

### Detail
Secure endpoint validation is performed by the etcd gateway start command when the --discovery-srv flag is enabled. However, as currently implemented, it only validates TCP reachability, effectively allowing connections to an endpoint that doesn't accept TLS connections through the HTTPS URL. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.

### References
Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)

### For more information
If you have any questions or comments about this advisory:
* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)
references
0
reference_url https://github.com/etcd-io/etcd/security/advisories/GHSA-j86v-2vjr-fg8f
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd/security/advisories/GHSA-j86v-2vjr-fg8f
fixed_packages
0
url pkg:golang/go.etcd.io/etcd/v3@3.3.23
purl pkg:golang/go.etcd.io/etcd/v3@3.3.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23
1
url pkg:golang/go.etcd.io/etcd/v3@3.4.10
purl pkg:golang/go.etcd.io/etcd/v3@3.4.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10
aliases GHSA-j86v-2vjr-fg8f
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hk71-s5jq-7fhz
2
url VCID-jvhn-21an-4ugm
vulnerability_id VCID-jvhn-21an-4ugm
summary 
Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only
### Vulnerability type
Logging

### Detail
etcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be misleading when auditing etcd logs.

### References
Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)

### For more information
If you have any questions or comments about this advisory:
* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)
references
0
reference_url https://github.com/etcd-io/etcd
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd
1
reference_url https://github.com/etcd-io/etcd/security/advisories/GHSA-vjg6-93fv-qv64
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd/security/advisories/GHSA-vjg6-93fv-qv64
fixed_packages
0
url pkg:golang/go.etcd.io/etcd/v3@3.3.23
purl pkg:golang/go.etcd.io/etcd/v3@3.3.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23
1
url pkg:golang/go.etcd.io/etcd/v3@3.4.10
purl pkg:golang/go.etcd.io/etcd/v3@3.4.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10
aliases GHSA-vjg6-93fv-qv64
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jvhn-21an-4ugm
3
url VCID-uyag-gzdr-kbf9
vulnerability_id VCID-uyag-gzdr-kbf9
summary 
etcd's WAL `ReadAll`  method vulnerable to an entry with large index causing panic
### Vulnerability type
Data Validation

### Detail
In the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.

### References
Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)

### For more information
If you have any questions or comments about this advisory:
* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15112.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15112.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-15112
reference_id
reference_type
scores
0
value 0.00113
scoring_system epss
scoring_elements 0.29862
published_at 2026-04-12T12:55:00Z
1
value 0.00113
scoring_system epss
scoring_elements 0.29764
published_at 2026-04-21T12:55:00Z
2
value 0.00113
scoring_system epss
scoring_elements 0.29811
published_at 2026-04-18T12:55:00Z
3
value 0.00113
scoring_system epss
scoring_elements 0.29831
published_at 2026-04-16T12:55:00Z
4
value 0.00113
scoring_system epss
scoring_elements 0.29813
published_at 2026-04-13T12:55:00Z
5
value 0.00113
scoring_system epss
scoring_elements 0.299
published_at 2026-04-01T12:55:00Z
6
value 0.00113
scoring_system epss
scoring_elements 0.29943
published_at 2026-04-02T12:55:00Z
7
value 0.00113
scoring_system epss
scoring_elements 0.29992
published_at 2026-04-04T12:55:00Z
8
value 0.00113
scoring_system epss
scoring_elements 0.29804
published_at 2026-04-07T12:55:00Z
9
value 0.00113
scoring_system epss
scoring_elements 0.29866
published_at 2026-04-08T12:55:00Z
10
value 0.00113
scoring_system epss
scoring_elements 0.29902
published_at 2026-04-09T12:55:00Z
11
value 0.00113
scoring_system epss
scoring_elements 0.29908
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-15112
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15112
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15112
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/etcd-io/etcd
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd
5
reference_url https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf
6
reference_url https://github.com/etcd-io/etcd/commit/7d1cf640497cbcdfb932e619b13624112c7e3865
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd/commit/7d1cf640497cbcdfb932e619b13624112c7e3865
7
reference_url https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07
8
reference_url https://github.com/etcd-io/etcd/pull/11793
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd/pull/11793
9
reference_url https://github.com/etcd-io/etcd/security/advisories/GHSA-m332-53r6-2w93
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd/security/advisories/GHSA-m332-53r6-2w93
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-15112
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-15112
12
reference_url https://pkg.go.dev/vuln/GO-2020-0005
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://pkg.go.dev/vuln/GO-2020-0005
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1868872
reference_id 1868872
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1868872
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968740
reference_id 968740
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968740
15
reference_url https://access.redhat.com/errata/RHSA-2021:0916
reference_id RHSA-2021:0916
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:0916
16
reference_url https://access.redhat.com/errata/RHSA-2021:1407
reference_id RHSA-2021:1407
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1407
17
reference_url https://access.redhat.com/errata/RHSA-2021:2438
reference_id RHSA-2021:2438
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2438
18
reference_url https://usn.ubuntu.com/5628-1/
reference_id USN-5628-1
reference_type
scores
url https://usn.ubuntu.com/5628-1/
19
reference_url https://usn.ubuntu.com/USN-5628-2/
reference_id USN-USN-5628-2
reference_type
scores
url https://usn.ubuntu.com/USN-5628-2/
fixed_packages
0
url pkg:golang/go.etcd.io/etcd/v3@3.3.23
purl pkg:golang/go.etcd.io/etcd/v3@3.3.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23
1
url pkg:golang/go.etcd.io/etcd/v3@3.4.10
purl pkg:golang/go.etcd.io/etcd/v3@3.4.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10
aliases CVE-2020-15112, GHSA-m332-53r6-2w93
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uyag-gzdr-kbf9
4
url VCID-xkcm-vrk1-u3g6
vulnerability_id VCID-xkcm-vrk1-u3g6
summary 
Etcd embed auto compaction retention negative value causing a compaction loop or a crash
### Impact
Data Validation

### Detail
The parseCompactionRetention function in embed/etcd.go allows the retention variable value to be negative and causes the node to execute the history compaction in a loop, taking more CPU than usual and spamming logs.

### References
Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)

### For more information
If you have any questions or comments about this advisory:
* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)
references
0
reference_url https://github.com/etcd-io/etcd
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd
1
reference_url https://github.com/etcd-io/etcd/security/advisories/GHSA-pm3m-32r3-7mfh
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/etcd-io/etcd/security/advisories/GHSA-pm3m-32r3-7mfh
fixed_packages
0
url pkg:golang/go.etcd.io/etcd/v3@3.3.23
purl pkg:golang/go.etcd.io/etcd/v3@3.3.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23
1
url pkg:golang/go.etcd.io/etcd/v3@3.4.10
purl pkg:golang/go.etcd.io/etcd/v3@3.4.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10
aliases GHSA-pm3m-32r3-7mfh
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xkcm-vrk1-u3g6
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10