Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/53844?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/53844?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.4.10", "type": "golang", "namespace": "go.etcd.io/etcd", "name": "v3", "version": "3.4.10", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "3.4.42", "latest_non_vulnerable_version": "3.6.11", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51798?format=api", "vulnerability_id": "VCID-9jzm-m7bx-akdg", "summary": "etcd vulnerable to TOCTOU of gateway endpoint authentication\n### Vulnerability type\nAuthentication\n\n### Workarounds\nRefer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. \n\n### Detail\nThe gateway only authenticates endpoints detected from DNS SRV records, and it only authenticates the detected endpoints once. Therefore, if an endpoint changes its authentication settings, the gateway will continue to assume the endpoint is still authenticated. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", "references": [ { "reference_url": "https://github.com/etcd-io/etcd", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd" }, { "reference_url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-h8g9-6gvh-5mrc", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-h8g9-6gvh-5mrc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53848?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.3.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/53844?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.4.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10" } ], "aliases": [ "GHSA-h8g9-6gvh-5mrc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jzm-m7bx-akdg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15324?format=api", "vulnerability_id": "VCID-hk71-s5jq-7fhz", "summary": "Etcd Gateway TLS endpoint validation only confirms TCP reachability\n### Vulnerability type\nCryptography\n\n### Workarounds\nRefer to the [gateway documentation](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/gateway.md). The vulnerability was spotted due to unclear documentation of how the gateway handles endpoints validation. \n\n### Detail\nSecure endpoint validation is performed by the etcd gateway start command when the --discovery-srv flag is enabled. However, as currently implemented, it only validates TCP reachability, effectively allowing connections to an endpoint that doesn't accept TLS connections through the HTTPS URL. The auditors has noted that appropriate documentation of this validation functionality plus deprecation of this misleading functionality is an acceptable path forward.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", "references": [ { "reference_url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-j86v-2vjr-fg8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-j86v-2vjr-fg8f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53848?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.3.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/53844?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.4.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10" } ], "aliases": [ "GHSA-j86v-2vjr-fg8f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hk71-s5jq-7fhz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15218?format=api", "vulnerability_id": "VCID-jvhn-21an-4ugm", "summary": "Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only\n### Vulnerability type\nLogging\n\n### Detail\netcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be misleading when auditing etcd logs.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", "references": [ { "reference_url": "https://github.com/etcd-io/etcd", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd" }, { "reference_url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-vjg6-93fv-qv64", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-vjg6-93fv-qv64" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53848?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.3.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/53844?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.4.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10" } ], "aliases": [ "GHSA-vjg6-93fv-qv64" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jvhn-21an-4ugm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51913?format=api", "vulnerability_id": "VCID-uyag-gzdr-kbf9", "summary": "etcd's WAL `ReadAll` method vulnerable to an entry with large index causing panic\n### Vulnerability type\nData Validation\n\n### Detail\nIn the ReadAll method in wal/wal.go, it is possible to have an entry index greater then the number of entries. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15112.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15112.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15112", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29384", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29364", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29442", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29431", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29367", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29509", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29572", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29685", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29764", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29811", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29831", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29813", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29862", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29908", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29902", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29866", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29804", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.299", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29943", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29992", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15112" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15112", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15112" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/etcd-io/etcd", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd" }, { "reference_url": "https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf" }, { "reference_url": "https://github.com/etcd-io/etcd/commit/7d1cf640497cbcdfb932e619b13624112c7e3865", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/commit/7d1cf640497cbcdfb932e619b13624112c7e3865" }, { "reference_url": "https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/commit/f4b650b51dc4a53a8700700dc12e1242ac56ba07" }, { "reference_url": "https://github.com/etcd-io/etcd/pull/11793", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/pull/11793" }, { "reference_url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-m332-53r6-2w93", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-m332-53r6-2w93" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15112", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15112" }, { "reference_url": "https://pkg.go.dev/vuln/GO-2020-0005", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pkg.go.dev/vuln/GO-2020-0005" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1868872", "reference_id": "1868872", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1868872" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968740", "reference_id": "968740", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968740" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:0916", "reference_id": "RHSA-2021:0916", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:0916" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:1407", "reference_id": "RHSA-2021:1407", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:1407" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2438", "reference_id": "RHSA-2021:2438", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2438" }, { "reference_url": "https://usn.ubuntu.com/5628-1/", "reference_id": "USN-5628-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5628-1/" }, { "reference_url": "https://usn.ubuntu.com/USN-5628-2/", "reference_id": "USN-USN-5628-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5628-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53848?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.3.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/53844?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.4.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10" } ], "aliases": [ "CVE-2020-15112", "GHSA-m332-53r6-2w93" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uyag-gzdr-kbf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15654?format=api", "vulnerability_id": "VCID-xkcm-vrk1-u3g6", "summary": "Etcd embed auto compaction retention negative value causing a compaction loop or a crash\n### Impact\nData Validation\n\n### Detail\nThe parseCompactionRetention function in embed/etcd.go allows the retention variable value to be negative and causes the node to execute the history compaction in a loop, taking more CPU than usual and spamming logs.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)", "references": [ { "reference_url": "https://github.com/etcd-io/etcd", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd" }, { "reference_url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-pm3m-32r3-7mfh", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-pm3m-32r3-7mfh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53848?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.3.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.3.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/53844?format=api", "purl": "pkg:golang/go.etcd.io/etcd/v3@3.4.10", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10" } ], "aliases": [ "GHSA-pm3m-32r3-7mfh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xkcm-vrk1-u3g6" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:golang/go.etcd.io/etcd/v3@3.4.10" }