CVE-2018-1098

Priority
Description
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An
attacker can set up a website that tries to send a POST request to the etcd
server and modify a key. Adding a key is done with PUT so it is
theoretically safe (can't PUT from an HTML form or such) but POST allows
creating in-order keys that an attacker can send.
Notes
 msalvatore> Waiting for upstream to backport fix to 3.2 branch.
 msalvatore> See https://github.com/etcd-io/etcd/issues/10479
Package
Source: etcd (LP Ubuntu Debian)
Upstream:needed
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 18.10 (Cosmic Cuttlefish):ignored (reached end-of-life)
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
More Information

Updated: 2019-07-18 17:29:20 UTC (commit 649f8c6455205380e35ed054e9ea734222c716bb)