PT-2020-14197 · Coreos+1 · Etcd+1

Spzala

Published

2020-08-05

Updated

2022-11-21

CVE-2020-15115

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions etcd versions prior to 3.3.23 etcd versions prior to 3.4.10

Description The issue allows for very short passwords, such as those with a length of one, which may enable an attacker to guess or brute-force users' passwords with little computational effort. The etcdctl and etcd API do not enforce a specific password length during user creation or user password update operations, making it the responsibility of the administrator to enforce these requirements.

Recommendations For etcd versions prior to 3.3.23, update to version 3.3.23 or later to resolve the issue. For etcd versions prior to 3.4.10, update to version 3.4.10 or later to resolve the issue. As a temporary workaround, consider enforcing strong password policies and length requirements manually until a patch is applied.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-521

Related Identifiers

ALT-PU-2020-2736

ALT-PU-2021-1544

ALT-PU-2022-1247

AZL-6392

CVE-2020-15115

GHSA-4993-M7G5-R9HH

RHSA-2021:0916

Affected Products

Alt Linux

Etcd

PT-2020-14197 · Coreos+1 · Etcd+1

CVE-2020-15115

Weakness Enumeration

Related Identifiers

Affected Products

References · 14