GHSA-rfx7-8w68-q57q · 深刻度: low · エコシステム: go — etcd: Nested etcd transactions bypass RBAC authorization checks
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
総合評価: CVE-2026-33343 は低リスク(11.4/100)。悪用される可能性が高い(EPSS 0.21%、11 パーセンタイル) 推奨対応: 総合リスクは低く緊急対応は不要です。通常の保守サイクルでパッチを適用し、CVSS / EPSS が上昇したら優先度を見直してください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.03% | 0.21% | +0.18% |
| 2 | 2026-03-27 | — | 0.03% | — |
EPSS の全履歴 (全 2 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 0.0 | 3.1 | NONE |
|
3.9 | 0.0 | [email protected] |
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
GHSA-rfx7-8w68-q57q · 深刻度: low · エコシステム: go — etcd: Nested etcd transactions bypass RBAC authorization checks
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2026-33343: 1 source package rows (etcd); 22 state rows across 2 repos (3.23-community, edge-community); fixed 0, open 22. | https://security.alpinelinux.org/vuln/CVE-2026-33343 |
debian
|
not yet assigned | CVE-2026-33343 not yet assigned priority: Debian including 1 source packages (etcd), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2026-33343 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-33343 |
suse
|
high | CVE-2026-33343 severity important: SUSE including 89 source package names (docker, docker-bash-completion, …), 351 product×package rows across 27 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS, … (27 product lines)): Known Not Affected 351. | https://www.suse.com/security/cve/CVE-2026-33343/ |
ubuntu
|
medium | CVE-2026-33343 medium priority: Ubuntu including 1 source packages (etcd), 7 status rows across 7 suites (bionic, focal, jammy, noble, questing, upstream, xenial): needs-triage 7. | https://ubuntu.com/security/CVE-2026-33343 |
| URL | タグ |
|---|---|
| https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q | Mitigation Vendor Advisory |