data/reports/GO-2021-0077.yaml - vulndb - Git at Google

 id: GO-2021-0077
 modules:
     - module: go.etcd.io/etcd
       versions:
         - fixed: 0.5.0-alpha.5.0.20190108173120-83c051b701d3
       vulnerable_at: 0.5.0-alpha.5.0.20190108163607-9c6b407e7d45
       packages:
         - package: go.etcd.io/etcd/auth
           symbols:
             - authStore.AuthInfoFromTLS
 summary: Authentication bypass in go.etcd.io/etcd
 description: |-
     A user can use a valid client certificate that contains a CommonName that
     matches a valid RBAC username to authenticate themselves as that user, despite
     lacking the required credentials. This may allow authentication bypass, but
     requires a certificate that is issued by a CA trusted by the server.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2018-16886
 ghsas:
     - GHSA-h6xx-pmxh-3wgp
 references:
     - fix: https://github.com/etcd-io/etcd/pull/10366
     - fix: https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2
 review_status: REVIEWED
	id: GO-2021-0077
	modules:
	- module: go.etcd.io/etcd
	versions:
	- fixed: 0.5.0-alpha.5.0.20190108173120-83c051b701d3
	vulnerable_at: 0.5.0-alpha.5.0.20190108163607-9c6b407e7d45
	packages:
	- package: go.etcd.io/etcd/auth
	symbols:
	- authStore.AuthInfoFromTLS
	summary: Authentication bypass in go.etcd.io/etcd
	description: \|-
	A user can use a valid client certificate that contains a CommonName that
	matches a valid RBAC username to authenticate themselves as that user, despite
	lacking the required credentials. This may allow authentication bypass, but
	requires a certificate that is issued by a CA trusted by the server.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2018-16886
	ghsas:
	- GHSA-h6xx-pmxh-3wgp
	references:
	- fix: https://github.com/etcd-io/etcd/pull/10366
	- fix: https://github.com/etcd-io/etcd/commit/bf9d0d8291dc71ecbfb2690612954e1a298154b2
	review_status: REVIEWED