etcd

Findings · 17

1. 1 Gateway TLS endpoint validation only confirms TCP reachability Medium
2. 2 The gateway can include itself as an endpoint, resulting in resource exhaustion High
3. 3 Directories created via os.MkdirAll are not checked for permissions Medium
4. 4 Gateway TLS authentication only applies to endpoints detected in DNS SRV records Medium
5. 5 TOCTOU of gateway endpoint authentication Low
6. 6 An entry with large index causes panic in WAL.ReadAll method Medium
7. 7 A large slice causes panic in decodeRecord method Medium
8. 8 No minimum password length Medium
9. 9 Inaccurate logging of authentication attempts for users with CN-based auth only Low
10. 10 The “Total number of db keys compacted” metric is never changed Informational
11. 11 Auto compaction retention can be set to negative value causing a compaction loop or a crash Low
12. 12 User credentials are stored in WAL logs in plaintext Low
13. 13 Null pointer exception when calling wal.ReadAll after wal.Create Informational
14. 14 Submitting a -1 for cluster node size results in an index out-of-bound panic during service discovery Low
15. 15 Insecure ciphers are allowed by default Low
16. 16 etcd is insecure by default Informational
17. 17 Use of TLS InsecureSkipVerify Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.