DNS Rebinding

Affecting github.com/coreos/etcd/etcdmain package, versions <3.4

Overview

github.com/coreos/etcd/pkg/httputil is a distributed reliable key-value store for the most critical data of a distributed system.

Affected versions of this package are vulnerable to DNS Rebinding. An attacker can control their DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).

Remediation

Upgrade github.com/coreos/etcd/pkg/httputil to version 3.4 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

5.5
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Credit
zelivans
CVE
CVE-2018-1099
CWE
CWE-350
Snyk ID
SNYK-GOLANG-GITHUBCOMCOREOSETCDETCDMAIN-50066
Disclosed
25 Feb, 2018
Published
26 Apr, 2018