Bug 1552714 (CVE-2018-1098) - CVE-2018-1098 etcd: Cross-site request forgery via crafted local POST forms
Summary: CVE-2018-1098 etcd: Cross-site request forgery via crafted local POST forms
Alias: CVE-2018-1098
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1552720 1552721 1553762 1553763 1566226 1590309
Blocks: 1552719
TreeView+ depends on / blocked
Reported: 2018-03-07 15:29 UTC by Pedro Sampaio
Modified: 2021-10-21 19:56 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A cross-site request forgery flaw has been discovered in etcd. A remote attacker could set up a malicious website that execute POST requests to an etcd server to modify or add a key.
Clone Of:
Last Closed: 2021-10-21 19:56:17 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2018-03-07 15:29:46 UTC
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.

Upstream bug:


Comment 1 Pedro Sampaio 2018-03-07 15:42:22 UTC
Created etcd tracking bugs for this issue:

Affects: fedora-all [bug 1552720]

Comment 6 Riccardo Schirone 2018-06-12 09:58:25 UTC

Comment 8 Riccardo Schirone 2018-06-12 12:17:11 UTC
If etcd supports the new v3 API, the attacker can run more operations through POST, as described in the reference blog post.

Comment 11 Riccardo Schirone 2018-06-19 08:13:19 UTC

Configure and enable authentication on the etcd server.

Note You need to log in before you can comment on or make changes to this bug.