SCA: security update for go.etcd.io/etcd/v3 (GHSA-rfx7-8w68-q57q)

medium Tenable Cloud Security Plugin ID 439089

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42,
3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested
transactions to bypass all key-level authorization. This allows any authenticated user with direct access
to etcd to effectively ignore all key range restrictions, accessing the entire etcd data store. Kubernetes
does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles
authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions
3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by
treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so
only trusted components can connect and require strong client identity at the transport layer, such as
mTLS with tightly scoped client certificate distribution. (CVE-2026-33343)

Solution

Update the go.etcd.io/etcd/v3 library and its related packages to version 3.4.42 or later.

See Also

https://github.com/advisories/GHSA-rfx7-8w68-q57q

Plugin Details

Severity: Medium

ID: 439089

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 3/21/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-33343

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/20/2026

Vulnerability Publication Date: 3/20/2026

Reference Information

CVE: CVE-2026-33343

cwe: CWE-863