{"containers": {"cna": {"affected": [{"product": "etcd", "vendor": "etcd-io", "versions": [{"status": "affected", "version": "< 3.3.23"}, {"status": "affected", "version": "< 3.4.10"}]}], "descriptions": [{"lang": "en", "value": "etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "description": "{\"CWE-521\":\"Weak Password Requirements\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-04T02:06:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh"}, {"name": "FEDORA-2020-cd43b84c16", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/"}], "source": {"advisory": "GHSA-4993-m7g5-r9hh", "discovery": "UNKNOWN"}, "title": "No minimum password length in etcd", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15115", "STATE": "PUBLIC", "TITLE": "No minimum password length in etcd"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "etcd", "version": {"version_data": [{"version_value": "< 3.3.23"}, {"version_value": "< 3.4.10"}]}}]}, "vendor_name": "etcd-io"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-521\":\"Weak Password Requirements\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh", "refsource": "CONFIRM", "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh"}, {"name": "FEDORA-2020-cd43b84c16", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/"}]}, "source": {"advisory": "GHSA-4993-m7g5-r9hh", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:21.734Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh"}, {"name": "FEDORA-2020-cd43b84c16", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15115", "datePublished": "2020-08-06T21:55:12", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:21.734Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:etcd:*:*:*:*:*:*:*:*", "matchCriteriaId": "44C58F4F-02EB-40DC-86CB-98D027FE7F84", "versionEndExcluding": "3.3.23", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:etcd:*:*:*:*:*:*:*:*", "matchCriteriaId": "362ED3D1-DC14-4BC6-A565-39EA4CA7B061", "versionEndExcluding": "3.4.10", "versionStartIncluding": "3.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort."}, {"lang": "es", "value": "etcd anterior a las versiones 3.3.23 y 3.4.10, no lleva a cabo ninguna comprobaci\u00f3n de longitud de contrase\u00f1a, lo que permite contrase\u00f1as muy cortas, como aquellas con una longitud de uno. Esto puede permitir a un atacante adivinar o forzar las contrase\u00f1as de los usuarios con poco esfuerzo computacional"}], "id": "CVE-2020-15115", "lastModified": "2024-11-21T05:04:51.007", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-06T22:15:12.093", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0916", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "etcd-0:3.3.23-1.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2021-03-17T00:00:00Z"}], "bugzilla": {"description": "etcd: improper validation of passwords allow an attacker to guess or brute-force user's passwords", "id": "1868878", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1868878"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-305", "details": ["etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.", "A flaw was found in etcd, where it does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This flaw allows an attacker to guess or brute-force users' passwords with little computational effort. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2020-15115", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-etcd", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:15", "fix_state": "Fix deferred", "impact": "low", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 15 (Stein)"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}], "public_date": "2020-08-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-15115\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15115\nhttps://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh"], "statement": "Red Hat OpenShift Container Platform (RHOCP) doesn't use etcd role-based access control (rbac), instead of that, OpenShift OAuth authentication is used. Therefore, RHOCP is not affected by this vulnerability.\nA similar configuration is in place in Red Hat OpenStack Platform (RHOSP) as etcd does not use a password for access and instead uses a TLS certificate.", "threat_severity": "Moderate"}

{}