etcd before versions 3.3.23 and 3.4.10 does not perform any password length
validation, which allows for very short passwords, such as those with a
length of one. This may allow an attacker to guess or brute-force users’
passwords with little computational effort.
Author | Note |
---|---|
ebarretto | No fix available: The etcdctl and etcd API do not enforce a specific password length during user creation or user password update operations. It is the responsibility of the administrator to enforce these requirements. |