Vulnerability due to usage of github.com/coreos:etcd:3.3.10 #290
Description
Hello !
A high severity vulnerability has been discovered due to the use of github.com/coreos:etcd:3.3.10
Vulnerability description: etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.
Occurrences
github.com/coreos:etcd:3.3.10 is a transitive dependency introduced by the following direct dependency(s):
• github.com/gobuffalo/packr
└─ github.com/spf13:cobra:0.0.5
└─ github.com/spf13:viper:1.3.2
└─ github.com/coreos:etcd:3.3.10
and
• github.com/gobuffalo/packr
└─ github.com/gobuffalo/packr/[email protected]
└─ github.com/spf13:cobra:0.0.5
└─ github.com/spf13:viper:1.3.2
└─ github.com/coreos:etcd:3.3.10
currently there are 3 CVE at this version (3.3.10) : [CVE-2020-15114] [CVE-2020-15136] [CVE-2020-15115]
Move to the latest version of spf13:cobra v1.2.1 will be able to resolve these vulnerabilities as well as several others of the intermediate versions.
Thanks for your help