Skip to content

Directories created via os.MkdirAll are not checked for permissions

Moderate
spzala published GHSA-chh6-ppwq-jh92 Aug 5, 2020

Package

pkg, etcdmain

Affected versions

<= 3.4.9

Patched versions

3.4.10, 3.3.23

Description

Vulnerability type

Access Controls

Detail

etcd creates certain directory paths (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already.

Workarounds

Make sure these directories have the desired permit (700).

References

Find out more on this vulnerability in the security audit report

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2020-15113

Weaknesses

No CWEs