0.0 NONE
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): NONE
etcd: Nested etcd transactions bypass RBAC authorization checks
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.
References
- https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q x_refsource_CONFIRM
Affected products
- ==< 3.4.42
- ==>= 3.5.0-alpha.0, < 3.5.28
- ==>= 3.6.0-alpha.0, < 3.6.9
Matching in nixpkgs
pkgs.etcd
Distributed reliable key-value store for the most critical data of a distributed system
pkgs.netcdf
Libraries for the Unidata network Common Data Format
pkgs.pnetcdf
Parallel I/O Library for NetCDF File Access
pkgs.etcd_3_4
Distributed reliable key-value store for the most critical data of a distributed system
pkgs.etcd_3_5
Distributed reliable key-value store for the most critical data of a distributed system
pkgs.etcd_3_6
Distributed reliable key-value store for the most critical data of a distributed system
pkgs.netcdf-mpi
Libraries for the Unidata network Common Data Format
pkgs.netcdfcxx4
C++ API to manipulate netcdf files
-
nixos-unstable cxx4-4.3.1
- nixpkgs-unstable cxx4-4.3.1
- nixos-unstable-small cxx4-4.3.1
-
nixos-25.11 cxx4-4.3.1
- nixos-25.11-small cxx4-4.3.1
- nixpkgs-25.11-darwin cxx4-4.3.1
pkgs.netcdffortran
Fortran API to manipulate netcdf files
pkgs.pkgsRocm.pnetcdf
Parallel I/O Library for NetCDF File Access
pkgs.pkgsRocm.netcdf-mpi
Libraries for the Unidata network Common Data Format
pkgs.octavePackages.netcdf
NetCDF interface for Octave
-
nixos-unstable 11.1.0-netcdf-1.0.19
- nixpkgs-unstable 11.1.0-netcdf-1.0.19
- nixos-unstable-small 11.1.0-netcdf-1.0.19
-
nixos-25.11 10.3.0-netcdf-1.0.18
- nixos-25.11-small 10.3.0-netcdf-1.0.18
- nixpkgs-25.11-darwin 10.3.0-netcdf-1.0.18
pkgs.python312Packages.etcd
Python etcd client that just works
pkgs.python313Packages.etcd
Python etcd client that just works
pkgs.python314Packages.etcd
Python etcd client that just works
pkgs.python312Packages.aetcd
Python asyncio-based client for etcd
pkgs.python312Packages.etcd3
Python client for the etcd API v3
-
nixos-25.11 etcd3-0.12.0
- nixos-25.11-small etcd3-0.12.0
- nixpkgs-25.11-darwin etcd3-0.12.0
pkgs.python313Packages.aetcd
Python asyncio-based client for etcd
pkgs.python313Packages.etcd3
Python client for the etcd API v3
-
nixos-unstable etcd3-0.12.0
- nixpkgs-unstable etcd3-0.12.0
- nixos-unstable-small etcd3-0.12.0
-
nixos-25.11 etcd3-0.12.0
- nixos-25.11-small etcd3-0.12.0
- nixpkgs-25.11-darwin etcd3-0.12.0
pkgs.python314Packages.aetcd
Python asyncio-based client for etcd
pkgs.python314Packages.etcd3
Python client for the etcd API v3
-
nixos-unstable etcd3-0.12.0
- nixpkgs-unstable etcd3-0.12.0
- nixos-unstable-small etcd3-0.12.0
pkgs.python312Packages.netcdf4
Interface to netCDF library (versions 3 and 4)
-
nixos-25.11 netcdf4-1.7.2
- nixos-25.11-small netcdf4-1.7.2
- nixpkgs-25.11-darwin netcdf4-1.7.2
pkgs.python313Packages.netcdf4
Interface to netCDF library (versions 3 and 4)
-
nixos-unstable netcdf4-1.7.2
- nixpkgs-unstable netcdf4-1.7.2
- nixos-unstable-small netcdf4-1.7.2
-
nixos-25.11 netcdf4-1.7.2
- nixos-25.11-small netcdf4-1.7.2
- nixpkgs-25.11-darwin netcdf4-1.7.2
pkgs.python314Packages.netcdf4
Interface to netCDF library (versions 3 and 4)
-
nixos-unstable netcdf4-1.7.2
- nixpkgs-unstable netcdf4-1.7.2
- nixos-unstable-small netcdf4-1.7.2
pkgs.python312Packages.h5netcdf
Pythonic interface to netCDF4 via h5py
-
nixos-25.11 h5netcdf-1.6.4
- nixos-25.11-small h5netcdf-1.6.4
- nixpkgs-25.11-darwin h5netcdf-1.6.4
pkgs.python313Packages.h5netcdf
Pythonic interface to netCDF4 via h5py
-
nixos-unstable h5netcdf-1.8.0
- nixpkgs-unstable h5netcdf-1.8.0
- nixos-unstable-small h5netcdf-1.8.0
-
nixos-25.11 h5netcdf-1.6.4
- nixos-25.11-small h5netcdf-1.6.4
- nixpkgs-25.11-darwin h5netcdf-1.6.4
pkgs.python314Packages.h5netcdf
Pythonic interface to netCDF4 via h5py
-
nixos-unstable h5netcdf-1.8.0
- nixpkgs-unstable h5netcdf-1.8.0
- nixos-unstable-small h5netcdf-1.8.0
pkgs.python312Packages.python-etcd
Python client for Etcd
-
nixos-25.11 0.5.0-unstable-2023-10-31
- nixos-25.11-small 0.5.0-unstable-2023-10-31
- nixpkgs-25.11-darwin 0.5.0-unstable-2023-10-31
pkgs.python313Packages.python-etcd
Python client for Etcd
-
nixos-unstable 0.4.5-unstable-2024-08-09
- nixpkgs-unstable 0.4.5-unstable-2024-08-09
- nixos-unstable-small 0.4.5-unstable-2024-08-09
-
nixos-25.11 0.5.0-unstable-2023-10-31
- nixos-25.11-small 0.5.0-unstable-2023-10-31
- nixpkgs-25.11-darwin 0.5.0-unstable-2023-10-31
pkgs.python314Packages.python-etcd
Python client for Etcd
-
nixos-unstable 0.4.5-unstable-2024-08-09
- nixpkgs-unstable 0.4.5-unstable-2024-08-09
- nixos-unstable-small 0.4.5-unstable-2024-08-09
Package maintainers
-
@offlinehacker Jaka Hudoklin <jaka@x-truder.net>
-
@bzizou Bruno Bzeznik <Bruno@bzizou.net>
-
@KarlJoad Karl Hallsby <karl@hallsby.com>
-
@qbisi qbisicwate <qbisicwate@gmail.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@dtomvan Tom van Dijk <18gatenmaker6@gmail.com>