A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send. Upstream bug: https://github.com/coreos/etcd/issues/9353
Created etcd tracking bugs for this issue: Affects: fedora-all [bug 1552720]
Reference: https://www.twistlock.com/2018/02/28/dear-developers-beware-dns-rebinding/
If etcd supports the new v3 API, the attacker can run more operations through POST, as described in the reference blog post.
Mitigation: Configure and enable authentication on the etcd server.