GHSA-h8g9-6gvh-5mrc: 
vulnerability analysis and mitigation

A low severity authentication vulnerability (GHSA-h8g9-6gvh-5mrc) was identified in etcd, affecting versions >= 3.4.0, < 3.4.10 and < 3.3.23. The vulnerability was discovered and published on August 5, 2020, and involves a Time-of-Check to Time-of-Use (TOCTOU) issue in the gateway endpoint authentication mechanism (GitHub Advisory).

The vulnerability stems from the gateway's authentication process for endpoints detected from DNS SRV records. The gateway performs authentication validation only once when endpoints are initially detected. This creates a TOCTOU vulnerability where if an endpoint changes its authentication settings after the initial check, the gateway continues to treat the endpoint as authenticated, potentially leading to security issues (GitHub Advisory).

The impact of this vulnerability is considered low severity. If exploited, it could allow an endpoint to bypass authentication checks after changing its authentication settings, as the gateway would continue to treat it as authenticated based on the initial validation (GitHub Advisory).

The vulnerability has been patched in etcd versions 3.4.10 and 3.3.23. Users are advised to upgrade to these patched versions. For those unable to upgrade immediately, refer to the gateway documentation for workarounds. The auditors have noted that appropriate documentation of the validation functionality and deprecation of the misleading functionality is considered an acceptable mitigation path (GitHub Advisory).