Authentication bypass due to improper Certificate Revocation List enforcement on gRPC listener
Summary
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener, allowing a client with a revoked certificate to authenticate successfully over gRPC. This issue is fixed in versions 3.5.32 and 3.6.13. This oversight allows a client with a revoked certificate to successfully authenticate, potentially leading to unauthorized access and compromise of data integrity. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). Weakness: CWE-295. Affected Red Hat products: Red Hat OpenStack Platform 16.2; Red Hat OpenStack Platform 17.1. Red Hat does not currently list a fixing RHSA for this CVE.
- < 3.5.32
- < 3.6.13
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 3.5.32
- 3.6.13
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Mitigation steps weren't captured by the parser for this advisory — this is a parsing gap, not a statement that no fix exists. Read the vendor advisory below for the authoritative guidance.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.