Base Score

HIGH7.5

CVE-2020-15115

etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateAug 06, 2020, 22:15

Affected Versions(2)

go.etcd.io/etcd/client/v3(Go)

Introduced3.4.0

Fixed3.4.10

LimitN/A

go.etcd.io/etcd/client/v3(Go)

Introduced0

Fixed3.3.23

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
go.etcd.io/etcd/client/v3(Go)	3.4.0	3.4.10	N/A
go.etcd.io/etcd/client/v3(Go)	0	3.3.23	N/A

Weakness Type (CWE):CWE-521

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

HIGH7.5

Weakness Type (CWE):CWE-521

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE