{"api_version":"1","generated_at":"2026-05-13T19:22:38+00:00","cve":"CVE-2018-1099","urls":{"html":"https://cve.report/CVE-2018-1099","api":"https://cve.report/api/cve/CVE-2018-1099.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1099","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1099"},"summary":{"title":"CVE-2018-1099","description":"DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2018-04-03 16:29:00","updated_at":"2023-11-07 02:55:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/","name":"FEDORA-2019-833466697f","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 30 Update: etcd-3.3.12-1.20190314gite1ca3b4.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1552717","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1552717","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Vendor Advisory"],"title":"1552717 – (CVE-2018-1099) CVE-2018-1099 etcd: DNS rebinding vulnerability in etcd server","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/","name":"FEDORA-2019-219b0b0b6a","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 29 Update: etcd-3.3.12-4.20190413gitf29b1ad.fc29 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/","name":"FEDORA-2019-219b0b0b6a","refsource":"","tags":[],"title":"[SECURITY] Fedora 29 Update: etcd-3.3.12-4.20190413gitf29b1ad.fc29 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/","name":"FEDORA-2019-833466697f","refsource":"","tags":[],"title":"[SECURITY] Fedora 30 Update: etcd-3.3.12-1.20190314gite1ca3b4.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/coreos/etcd/issues/9353","name":"https://github.com/coreos/etcd/issues/9353","refsource":"CONFIRM","tags":["Exploit","Third Party Advisory"],"title":"Mitigate CSRF and DNS Rebinding attacks · Issue #9353 · etcd-io/etcd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1099","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1099","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1099","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1099","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1099","vulnerable":"1","versionEndIncluding":"3.3.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"etcd","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","DATE_PUBLIC":"2018-02-25T00:00:00","ID":"CVE-2018-1099","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"etcd","version":{"version_data":[{"version_value":"3.3.1 and earlier"}]}}]},"vendor_name":"Red Hat, Inc."}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20"}]}]},"references":{"reference_data":[{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=1552717","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1552717"},{"name":"https://github.com/coreos/etcd/issues/9353","refsource":"CONFIRM","url":"https://github.com/coreos/etcd/issues/9353"},{"refsource":"FEDORA","name":"FEDORA-2019-833466697f","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPGYHMSKDPW5GAMI7BEP3XQRVRLLBJKS/"},{"refsource":"FEDORA","name":"FEDORA-2019-219b0b0b6a","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JX7QTIT465BQGRGNCE74RATRQLKT2QE4/"}]}},"nvd":{"publishedDate":"2018-04-03 16:29:00","lastModifiedDate":"2023-11-07 02:55:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:N/I:P/A:N","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":2.1},"severity":"LOW","exploitabilityScore":3.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:etcd:*:*:*:*:*:*:*:*","versionEndIncluding":"3.3.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1099","Ordinal":"116330","Title":"CVE-2018-1099","CVE":"CVE-2018-1099","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1099","Ordinal":"1","NoteData":"DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1099","Ordinal":"2","NoteData":"2018-04-03","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1099","Ordinal":"3","NoteData":"2019-05-06","Type":"Other","Title":"Modified"}]}}}