{
  "threat_severity" : "Important",
  "public_date" : "2023-04-04T00:00:00Z",
  "bugzilla" : {
    "description" : "etcd: Information discosure via debug function",
    "id" : "2184441",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2184441"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-287",
  "details" : [ "Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.", "A flaw was found in etcd, where etc-io could allow a remote attacker to gain elevated privileges on the system caused by a vulnerability in the debug function. By sending a specially crafted request, an attacker can gain elevated privileges." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3447",
    "cpe" : "cpe:/a:redhat:openstack:16.1::el8",
    "package" : "etcd-0:3.3.23-14.el8ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3445",
    "cpe" : "cpe:/a:redhat:openstack:16.2::el8",
    "package" : "etcd-0:3.3.23-14.el8ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.0",
    "release_date" : "2023-06-05T00:00:00Z",
    "advisory" : "RHSA-2023:3441",
    "cpe" : "cpe:/a:redhat:openstack:17.0::el9",
    "package" : "etcd-0:3.4.26-1.el9ost"
  } ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Affected",
    "package_name" : "openshift-logging/lokistack-gateway-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Not affected",
    "package_name" : "openshift-serverless-1/client-kn-rhel8",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "etcd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "etcd3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-docker-builder",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-etcd",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-machine-config-operator",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-operator-sdk-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-security-profiles-operator-container",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Affected",
    "package_name" : "etcd",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-28235\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28235" ],
  "name" : "CVE-2021-28235",
  "csaw" : false
}