CVE-2020-15115

CWE-521 CWE-30510 documents8 sources

Severity

7.5HIGH

EPSS

0.3%

top 43.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Etcd-io Etcd Go.etcd.io Etcd/client/v3 Redhat Etcd +1 more

Timeline

PublishedAug 6

Latest updateOct 6

Description

etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDredhat/etcd3.3.0 — 3.3.23+1

▶CVEListV5etcd-io/etcd< 3.3.23+1

▶Gogo.etcd.io/etcd/client/v33.4.0 — 3.4.10+1

▶Debianetcd< 3.3.25+dfsg-5+3

Also affects: Fedora 32

🔴Vulnerability Details

OSV

etcd has no minimum password length↗2022-10-06

▶

GHSA

etcd has no minimum password length↗2022-10-06

▶

OSV

CVE-2020-15115: etcd before versions 3↗2020-08-06

▶

CVEList

No minimum password length in etcd↗2020-08-06

▶

📋Vendor Advisories

Microsoft

No minimum password length in etcd↗2020-08-11

▶

Red Hat

etcd: improper validation of passwords allow an attacker to guess or brute-force user's passwords↗2020-08-05

▶

Debian

CVE-2020-15115: etcd - etcd before versions 3.3.23 and 3.4.10 does not perform any password length vali...↗2020

▶

💬Community

Bugzilla

CVE-2020-15115 etcd: improper validation of passwords allow an attacker to guess or brute-force user's passwords [fedora-all]↗2020-08-14

▶

Bugzilla

CVE-2020-15115 etcd: improper validation of passwords allow an attacker to guess or brute-force user's passwords↗2020-08-14

▶