CVE-2020-15115 - OpenCVE

etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Etcd
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:redhat:etcd::::::::
	cpe:2.3:a:redhat:etcd::::::::

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-08-06T21:55:12

Updated: 2021-01-04T02:06:11

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15115

JSON object: View

NVD Information

Status : Modified

Published: 2020-08-06T22:15:12.093

Modified: 2023-11-07T03:17:25.413

Link: CVE-2020-15115

JSON object: View

Redhat Information

No data.

CWE

CWE-521

{"containers": {"cna": {"affected": [{"product": "etcd", "vendor": "etcd-io", "versions": [{"status": "affected", "version": "< 3.3.23"}, {"status": "affected", "version": "< 3.4.10"}]}], "descriptions": [{"lang": "en", "value": "etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "description": "{\"CWE-521\":\"Weak Password Requirements\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-04T02:06:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh"}, {"name": "FEDORA-2020-cd43b84c16", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/"}], "source": {"advisory": "GHSA-4993-m7g5-r9hh", "discovery": "UNKNOWN"}, "title": "No minimum password length in etcd", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15115", "STATE": "PUBLIC", "TITLE": "No minimum password length in etcd"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "etcd", "version": {"version_data": [{"version_value": "< 3.3.23"}, {"version_value": "< 3.4.10"}]}}]}, "vendor_name": "etcd-io"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-521\":\"Weak Password Requirements\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh", "refsource": "CONFIRM", "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh"}, {"name": "FEDORA-2020-cd43b84c16", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/"}]}, "source": {"advisory": "GHSA-4993-m7g5-r9hh", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15115", "datePublished": "2020-08-06T21:55:12", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2021-01-04T02:06:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:etcd:*:*:*:*:*:*:*:*", "matchCriteriaId": "44C58F4F-02EB-40DC-86CB-98D027FE7F84", "versionEndExcluding": "3.3.23", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:etcd:*:*:*:*:*:*:*:*", "matchCriteriaId": "362ED3D1-DC14-4BC6-A565-39EA4CA7B061", "versionEndExcluding": "3.4.10", "versionStartIncluding": "3.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort."}, {"lang": "es", "value": "etcd anterior a las versiones 3.3.23 y 3.4.10, no lleva a cabo ninguna comprobaci\u00f3n de longitud de contrase\u00f1a, lo que permite contrase\u00f1as muy cortas, como aquellas con una longitud de uno. Esto puede permitir a un atacante adivinar o forzar las contrase\u00f1as de los usuarios con poco esfuerzo computacional"}], "id": "CVE-2020-15115", "lastModified": "2023-11-07T03:17:25.413", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-08-06T22:15:12.093", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6B6R43Y7M3DCHWK3L3UVGE2K6WWECMP/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Secondary"}]}