Vulnerability Description
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
CVSS Score
5.5
MEDIUM
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Etcd | <= 3.3.1 |
| Fedoraproject | Fedora | 30 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1552717Issue TrackingPatchVendor Advisory
- https://github.com/coreos/etcd/issues/9353ExploitThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://bugzilla.redhat.com/show_bug.cgi?id=1552717Issue TrackingPatchVendor Advisory
- https://github.com/coreos/etcd/issues/9353ExploitThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2018-1099?
CVE-2018-1099 is a vulnerability with a CVSS score of 5.5 (MEDIUM). DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other addr...
How severe is CVE-2018-1099?
CVE-2018-1099 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1099?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Etcd, Fedoraproject Fedora.