This repository has been archived by the owner on Jun 25, 2022. It is now read-only.
Vulnerability due to usage of github.com/coreos:etcd:3.3.10 #290
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hello !
A high severity vulnerability has been discovered due to the use of github.com/coreos:etcd:3.3.10
Vulnerability description: etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.
Occurrences
github.com/coreos:etcd:3.3.10 is a transitive dependency introduced by the following direct dependency(s):
• github.com/gobuffalo/packr
└─ github.com/spf13:cobra:0.0.5
└─ github.com/spf13:viper:1.3.2
└─ github.com/coreos:etcd:3.3.10
and
• github.com/gobuffalo/packr
└─ github.com/gobuffalo/packr/[email protected]
└─ github.com/spf13:cobra:0.0.5
└─ github.com/spf13:viper:1.3.2
└─ github.com/coreos:etcd:3.3.10
currently there are 3 CVE at this version (3.3.10) : [CVE-2020-15114] [CVE-2020-15136] [CVE-2020-15115]
Move to the latest version of spf13:cobra v1.2.1 will be able to resolve these vulnerabilities as well as several others of the intermediate versions.
Thanks for your help
The text was updated successfully, but these errors were encountered: