GHSA-528j-9r78-wffx: 
vulnerability analysis and mitigation

A low severity vulnerability (GHSA-528j-9r78-wffx) was discovered in etcd, affecting versions <= 3.4.9, where user credentials (login and password) are stored in plaintext within Write-Ahead Logging (WAL) entries during user authentication. The vulnerability was published on August 5, 2020, and has been patched in versions 3.4.10 and 3.3.23 (GitHub Advisory).

The vulnerability stems from the storage of authentication credentials in WAL entries as plaintext during the user authentication process. The issue was identified in the authentication flow where InternalAuthenticateRequest contained password information that was being recorded in the WAL logs (Etcd PR). The vulnerability is classified as a Data Exposure issue with a Low severity rating, primarily because it requires access to the server's WAL log files to exploit.

If the WAL log files are not properly secured, sensitive information including user credentials could be exposed to unauthorized parties. This vulnerability particularly impacts environments where physical or system-level access to etcd server storage might be compromised (GitHub Advisory).

The primary mitigation is to upgrade to patched versions (3.4.10 or 3.3.23). Additionally, etcd users must ensure that the server WAL log files are properly secured as etcd doesn't encrypt key/value data stored on disk drives. The fix implemented removes the password from InternalAuthenticateRequest, preventing it from being recorded in the WAL entries (GitHub PR).