Miggo Logo

CVE-2021-28235: Etcd-io Improper Authentication vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.62251%
Published
4/4/2023
Updated
4/11/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
go.etcd.io/etcd/v3go= 3.4.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from debug logs exposing authentication credentials. The fix in PR #15648 explicitly clears the password field in the Authenticate function (server/auth/store.go) after successful authentication. This matches the CWE-287 description of improper authentication via credential leakage, and aligns with the vulnerability's trigger condition (debug logging enabled + authentication requests). The direct code modification in the authentication flow confirms this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ut**nti**tion vuln*r**ility *oun* in *t**-io v.*.*.** *llows r*mot* *tt**k*rs to *s**l*t* privil***s vi* t** ***u* *un*tion. T*is **s ***n *ix** in v.[*.*.*](*ttps://*it*u*.*om/*t**-io/*t**/*lo*/m*in/***N**LO*/***N**LO*-*.*.m*#*t**-s*rv*r) *n* w*s

Reasoning

T** vuln*r**ility st*ms *rom ***u* lo*s *xposin* *ut**nti**tion *r***nti*ls. T** *ix in PR #***** *xpli*itly *l**rs t** p*sswor* *i*l* in t** `*ut**nti**t*` *un*tion (s*rv*r/*ut*/stor*.*o) **t*r su***ss*ul *ut**nti**tion. T*is m*t***s t** *W*-*** **s