VulnerableCode Package Details - pkg:golang/go.etcd.io/etcd/v3@3.3.23

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9jzm-m7bx-akdg	etcd vulnerable to TOCTOU of gateway endpoint authentication ### Vulnerability type Authentication ### Workarounds Refer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. ### Detail The gateway only authenticates endpoints detected from DNS SRV records, and it only authenticates the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)	GHSA-h8g9-6gvh-5mrc
VCID-hk71-s5jq-7fhz	Etcd Gateway TLS endpoint validation only confirms TCP reachability ### Vulnerability type Cryptography ### Workarounds Refer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. ### Detail Secure endpoint validation is performed by the etcd gateway start command when the --discovery-srv flag is enabled. However, as currently implemented, it only validates TCP reachability, effectively allowing connections to an endpoint that doesn't accept TLS connections through the HTTPS URL. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)	GHSA-j86v-2vjr-fg8f
VCID-jvhn-21an-4ugm	Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only ### Vulnerability type Logging ### Detail etcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be misleading when auditing etcd logs. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)	GHSA-vjg6-93fv-qv64
VCID-uyag-gzdr-kbf9	etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic ### Vulnerability type Data Validation ### Detail In the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md)	CVE-2020-15112 GHSA-m332-53r6-2w93
VCID-xkcm-vrk1-u3g6	Etcd embed auto compaction retention negative value causing a compaction loop or a crash ### Impact Data Validation ### Detail The parseCompactionRetention function in embed/etcd.go allows the retention variable value to be negative and causes the node to execute the history compaction in a loop, taking more CPU than usual and spamming logs. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)	GHSA-pm3m-32r3-7mfh

Vulnerability

Summary

Aliases

VCID-9jzm-m7bx-akdg

etcd vulnerable to TOCTOU of gateway endpoint authentication ### Vulnerability type Authentication ### Workarounds Refer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. ### Detail The gateway only authenticates endpoints detected from DNS SRV records, and it only authenticates the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)

GHSA-h8g9-6gvh-5mrc

VCID-hk71-s5jq-7fhz

Etcd Gateway TLS endpoint validation only confirms TCP reachability ### Vulnerability type Cryptography ### Workarounds Refer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. ### Detail Secure endpoint validation is performed by the etcd gateway start command when the --discovery-srv flag is enabled. However, as currently implemented, it only validates TCP reachability, effectively allowing connections to an endpoint that doesn't accept TLS connections through the HTTPS URL. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)

GHSA-j86v-2vjr-fg8f

VCID-jvhn-21an-4ugm

Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only ### Vulnerability type Logging ### Detail etcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be misleading when auditing etcd logs. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)

GHSA-vjg6-93fv-qv64

VCID-uyag-gzdr-kbf9

etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic ### Vulnerability type Data Validation ### Detail In the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md)

CVE-2020-15112
GHSA-m332-53r6-2w93

VCID-xkcm-vrk1-u3g6

Etcd embed auto compaction retention negative value causing a compaction loop or a crash ### Impact Data Validation ### Detail The parseCompactionRetention function in embed/etcd.go allows the retention variable value to be negative and causes the node to execute the history compaction in a loop, taking more CPU than usual and spamming logs. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)

GHSA-pm3m-32r3-7mfh

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:05:01.030844+00:00	GithubOSV Importer	Fixing	VCID-uyag-gzdr-kbf9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-m332-53r6-2w93/GHSA-m332-53r6-2w93.json	38.0.0
2026-04-01T13:04:58.571070+00:00	GithubOSV Importer	Fixing	VCID-9jzm-m7bx-akdg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h8g9-6gvh-5mrc/GHSA-h8g9-6gvh-5mrc.json	38.0.0
2026-04-01T12:50:34.564063+00:00	GithubOSV Importer	Fixing	VCID-xkcm-vrk1-u3g6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-pm3m-32r3-7mfh/GHSA-pm3m-32r3-7mfh.json	38.0.0
2026-04-01T12:50:25.600671+00:00	GithubOSV Importer	Fixing	VCID-hk71-s5jq-7fhz	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-j86v-2vjr-fg8f/GHSA-j86v-2vjr-fg8f.json	38.0.0
2026-04-01T12:50:23.340199+00:00	GithubOSV Importer	Fixing	VCID-jvhn-21an-4ugm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-vjg6-93fv-qv64/GHSA-vjg6-93fv-qv64.json	38.0.0