CVE-2021-28235: Etcd-io Improper Authentication vulnerability
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62251%
CWE
Published
4/4/2023
Updated
4/11/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
go.etcd.io/etcd/v3 | go | = 3.4.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from debug logs exposing authentication credentials. The fix in PR #15648 explicitly clears the password field in the Authenticate
function (server/auth/store.go) after successful authentication. This matches the CWE-287 description of improper authentication via credential leakage, and aligns with the vulnerability's trigger condition (debug logging enabled + authentication requests). The direct code modification in the authentication flow confirms this function's role in the vulnerability.