CVE-2018-1099

NameCVE-2018-1099
DescriptionDNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs921156

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
etcd (PTS)buster3.2.26+dfsg-3vulnerable
buster (security)3.2.26+dfsg-3+deb10u1vulnerable
bullseye3.3.25+dfsg-6vulnerable
bookworm3.4.23-4fixed
sid, trixie3.4.30-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
etcdsourceexperimental3.5.5-1
etcdsource(unstable)3.4.23-1low921156

Notes

[bullseye] - etcd <no-dsa> (Minor issue)
[buster] - etcd <no-dsa> (Minor issue)
https://github.com/coreos/etcd/issues/9353
https://github.com/etcd-io/etcd/pull/9372
https://bugzilla.redhat.com/show_bug.cgi?id=1552717

Search for package or bug name: Reporting problems