Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/etcd@3.3.23-1?arch=el8ost
purl pkg:rpm/redhat/etcd@3.3.23-1?arch=el8ost
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-15ma-yxfn-xbeu
Aliases:
CVE-2020-15114
GHSA-2xhq-gv6c-p224
Etcd Gateway can include itself as an endpoint resulting in resource exhaustion ### Vulnerability type Denial of Service ### Detail The etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc) There are no reported fixed by versions.
VCID-3533-gs1j-8yby
Aliases:
CVE-2020-15115
GHSA-4993-m7g5-r9hh
etcd has no minimum password length ### Vulnerability type Access Control ### Workarounds The etcdctl and etcd API do not enforce a specific password length during user creation or user password update operations. [It is the responsibility of the administrator to enforce these requirements](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/authentication.md#notes-on-password-strength). ### Detail etcd does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users’ passwords with little computational effort. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc) There are no reported fixed by versions.
VCID-7ebn-2p3p-bfg9
Aliases:
CVE-2020-15113
GHSA-chh6-ppwq-jh92
Improper Preservation of Permissions in etcd ### Vulnerability type Access Controls ### Detail etcd creates certain directory paths (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. ### Specific Go Package Affected github.com/etcd-io/etcd/pkg/fileutil ### Workarounds Make sure these directories have the desired permit (700). ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc) There are no reported fixed by versions.
VCID-e63c-7p3h-f3gj
Aliases:
CVE-2020-15106
GHSA-p4g4-wgrh-qrg2
Panic due to malformed WALs in go.etcd.io/etcd ### Vulnerability type Data Validation ### Detail The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL. ### Specific Go Packages Affected github.com/etcd-io/etcd/wal ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc) There are no reported fixed by versions.
VCID-uyag-gzdr-kbf9
Aliases:
CVE-2020-15112
GHSA-m332-53r6-2w93
etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic ### Vulnerability type Data Validation ### Detail In the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md) There are no reported fixed by versions.
VCID-vj2t-6kre-53h6
Aliases:
CVE-2020-15136
GHSA-wr2v-9rpq-c35q
Etcd Gateway TLS authentication only applies to endpoints detected in DNS SRV records ### Vulnerability type Cryptography ### Workarounds Refer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. ### Detail When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc) There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T14:05:16.645159+00:00 RedHat Importer Affected by VCID-e63c-7p3h-f3gj https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15106.json 38.0.0
2026-04-01T14:05:16.614520+00:00 RedHat Importer Affected by VCID-vj2t-6kre-53h6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15136.json 38.0.0
2026-04-01T14:05:16.586684+00:00 RedHat Importer Affected by VCID-3533-gs1j-8yby https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15115.json 38.0.0
2026-04-01T14:05:16.558208+00:00 RedHat Importer Affected by VCID-15ma-yxfn-xbeu https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15114.json 38.0.0
2026-04-01T14:05:16.530868+00:00 RedHat Importer Affected by VCID-7ebn-2p3p-bfg9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15113.json 38.0.0
2026-04-01T14:05:16.330158+00:00 RedHat Importer Affected by VCID-uyag-gzdr-kbf9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15112.json 38.0.0