security: remove password after authenticating the user

fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235 Signed-off-by: Benjamin Wang <wachao@vmware.com>
etcd-io · Apr 6, 2023 · 828002f · 828002f
1 parent 1586f6d
commit 828002f
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/server/etcdserver/v3_server.go b/server/etcdserver/v3_server.go
@@ -445,6 +445,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
 
 	lg := s.Logger()
 
+	// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
+	defer func() {
+		if r != nil {
+			r.Password = ""
+		}
+	}()
+
 	var resp proto.Message
 	for {
 		checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)

diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go
@@ -636,7 +636,7 @@ func authTestCacheReload(cx ctlCtx) {
 	}
 }
 
-// Verify https://nvd.nist.gov/vuln/detail/CVE-2021-28235
+// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
 func TestAuth_CVE_2021_28235(t *testing.T) {
 	testCtl(t, authTest_CVE_2021_28235, withCfg(*e2e.NewConfigNoTLS()), withLogLevel("debug"))
 }