DNS Rebinding

Affecting github.com/coreos/etcd/pkg/httputil package, versions <3.4

medium severity

Overview

github.com/coreos/etcd/pkg/httputil is a distributed reliable key-value store for the most critical data of a distributed system.

Affected versions of this package are vulnerable to DNS Rebinding. An attacker can control their DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).

Remediation

Upgrade github.com/coreos/etcd/pkg/httputil to version 3.4 or higher.

References

Do your applications use this vulnerable package?

Credit
zelivans
CVE
CVE-2018-1099
CWE
CWE-350
Snyk ID
SNYK-GOLANG-GITHUBCOMCOREOSETCDPKGHTTPUTIL-50070
Disclosed
25 Feb, 2018
Published
26 Apr, 2018