{
  "threat_severity" : "Moderate",
  "public_date" : "2020-08-05T00:00:00Z",
  "bugzilla" : {
    "description" : "etcd: improper validation of passwords allow an attacker to guess or brute-force user's passwords",
    "id" : "1868878",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1868878"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-305",
  "details" : [ "etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.", "A flaw was found in etcd, where it does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This flaw allows an attacker to guess or brute-force users' passwords with little computational effort. The highest threat from this vulnerability is to confidentiality." ],
  "statement" : "Red Hat OpenShift Container Platform (RHOCP) doesn't use etcd role-based access control (rbac), instead of that, OpenShift OAuth authentication is used. Therefore, RHOCP is not affected by this vulnerability.\nA similar configuration is in place in Red Hat OpenStack Platform (RHOSP) as etcd does not use a password for access and instead uses a TLS certificate.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "release_date" : "2021-03-17T00:00:00Z",
    "advisory" : "RHSA-2021:0916",
    "cpe" : "cpe:/a:redhat:openstack:16.1::el8",
    "package" : "etcd-0:3.3.23-1.el8ost"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "etcd",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "etcd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-etcd-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 15 (Stein)",
    "fix_state" : "Fix deferred",
    "package_name" : "etcd",
    "cpe" : "cpe:/a:redhat:openstack:15",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "etcd",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-15115\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15115\nhttps://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh" ],
  "name" : "CVE-2020-15115",
  "csaw" : false
}