{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"etcd security update", "category":"general", "title":"Synopsis" }, { "text":"An update for etcd is now available for openEuler-20.03-LTS-SP4", "category":"general", "title":"Summary" }, { "text":"%{expand:\n\nSecurity Fix(es):\n\nWhen parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.(CVE-2023-45290)\n\nIf errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.(CVE-2024-24785)", "category":"general", "title":"Description" }, { "text":"An update for etcd is now available for openEuler-20.03-LTS-SP4-LTS-SP1/openEuler-24.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"etcd", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1682", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1682" }, { "summary":"CVE-2023-45290", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-45290&packageName=etcd" }, { "summary":"CVE-2024-24785", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-24785&packageName=etcd" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45290" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-24785" }, { "summary":"openEuler-SA-2025-1682 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1682.json" } ], "title":"An update for etcd is now available for openEuler-20.03-LTS-SP4", "tracking":{ "initial_release_date":"2025-06-27T21:43:12+08:00", "revision_history":[ { "date":"2025-06-27T21:43:12+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-06-27T21:43:12+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-06-27T21:43:12+08:00", "id":"openEuler-SA-2025-1682", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"openEuler-20.03-LTS-SP4", "name":"openEuler-20.03-LTS-SP4" }, "name":"openEuler-20.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"etcd-3.4.14-11.oe2003sp4.aarch64.rpm", "name":"etcd-3.4.14-11.oe2003sp4.aarch64.rpm" }, "name":"etcd-3.4.14-11.oe2003sp4.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"etcd-3.4.14-11.oe2003sp4.src.rpm", "name":"etcd-3.4.14-11.oe2003sp4.src.rpm" }, "name":"etcd-3.4.14-11.oe2003sp4.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"etcd-3.4.14-11.oe2003sp4.x86_64.rpm", "name":"etcd-3.4.14-11.oe2003sp4.x86_64.rpm" }, "name":"etcd-3.4.14-11.oe2003sp4.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"etcd-3.4.14-11.oe2003sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.aarch64", "name":"etcd-3.4.14-11.oe2003sp4.aarch64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"etcd-3.4.14-11.oe2003sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.src", "name":"etcd-3.4.14-11.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"etcd-3.4.14-11.oe2003sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.x86_64", "name":"etcd-3.4.14-11.oe2003sp4.x86_64 as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2023-45290", "notes":[ { "text":"When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.src", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.src", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.x86_64" ], "details":"etcd security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1682" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.src", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-45290" }, { "cve":"CVE-2024-24785", "notes":[ { "text":"If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.src", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.src", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.x86_64" ], "details":"etcd security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1682" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.4, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.aarch64", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.src", "openEuler-20.03-LTS-SP4:etcd-3.4.14-11.oe2003sp4.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-24785" } ] }