etcd 3.3.1 and earlier does not correctly restrict access to resources based on the hostname, thus allowing a DNS rebinding attack. An attacker can control his DNS records and trick the browser into sending requests to an etcd server on an internal network and bypassing the same-origin policy. Upstream issue: https://github.com/coreos/etcd/issues/9353
Created etcd tracking bugs for this issue: Affects: fedora-all [bug 1552720]
Patch: https://github.com/coreos/etcd/commit/a7e5790c82039945639798ae9a3289fe787f5e56
Reference: https://www.twistlock.com/2018/02/28/dear-developers-beware-dns-rebinding/
Mitigation: Configure and enable authentication on the etcd server or secure your client connection via HTTPS.