Impact
etcd fails to enforce the client certificate revocation list when the '--listen-client-http-urls' flag splits HTTP and gRPC client endpoints onto separate listeners. As a result, a client presenting a revoked certificate can still authenticate over gRPC. This bypass of revocation checks permits an attacker to impersonate a legitimate client, potentially compromising the confidentiality or integrity of etcd data. The flaw is captured by CWE‑295, reflecting a broken authentication mechanism.
Affected Systems
etcd versions earlier than 3.5.32 and 3.6.13 are affected when configured with the split‑listener option. Administrators using etcd‑io’s etcd 3.5.x or 3.6.x releases that employ '--listen-client-http-urls' for separate HTTP and gRPC endpoints are susceptible. All deployments of those versions that expose the gRPC endpoint to potential clients are therefore at risk.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity. The EPSS score of <1% shows the probability of exploitation remains very low. The vulnerability is not listed in the CISA KEV catalog, suggesting no currently widespread exploitation. However, the attack can be delivered from any network location that can reach the gRPC endpoint, and an attacker only needs a compromised or revoked client certificate to gain access. The fact that revocation is ignored removes a key safety check, making the compromise straightforward for a determined adversary.
OpenCVE Enrichment