Bug 1552714 (CVE-2018-1098) - CVE-2018-1098 etcd: Cross-site request forgery via crafted local POST forms
Summary: CVE-2018-1098 etcd: Cross-site request forgery via crafted local POST forms
Keywords:
Status: NEW
Alias: CVE-2018-1098
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1590309 1552720 1552721 1553762 1553763 1566226
Blocks: 1552719
TreeView+ depends on / blocked
 
Reported: 2018-03-07 15:29 UTC by Pedro Sampaio
Modified: 2019-09-29 14:34 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A cross-site request forgery flaw has been discovered in etcd. A remote attacker could set up a malicious website that execute POST requests to an etcd server to modify or add a key.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2018-03-07 15:29:46 UTC
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.

Upstream bug:

https://github.com/coreos/etcd/issues/9353

Comment 1 Pedro Sampaio 2018-03-07 15:42:22 UTC
Created etcd tracking bugs for this issue:

Affects: fedora-all [bug 1552720]

Comment 6 Riccardo Schirone 2018-06-12 09:58:25 UTC
Reference:
https://www.twistlock.com/2018/02/28/dear-developers-beware-dns-rebinding/

Comment 8 Riccardo Schirone 2018-06-12 12:17:11 UTC
If etcd supports the new v3 API, the attacker can run more operations through POST, as described in the reference blog post.

Comment 11 Riccardo Schirone 2018-06-19 08:13:19 UTC
Mitigation:

Configure and enable authentication on the etcd server.


Note You need to log in before you can comment on or make changes to this bug.