GHSA-pm3m-32r3-7mfh: 
vulnerability analysis and mitigation

A data validation vulnerability was discovered in etcd's embed package, specifically in the parseCompactionRetention function within embed/etcd.go. The vulnerability, identified as GHSA-pm3m-32r3-7mfh, affects versions <= 3.4.9 of etcd and was disclosed on August 5, 2020. The issue has been patched in versions 3.4.10 and 3.3.23 (GitHub Advisory).

The vulnerability stems from insufficient input validation in the parseCompactionRetention function located in embed/etcd.go. The function allows the retention variable value to be negative, which leads to unexpected behavior in the system's compaction functionality (GitHub Advisory). The severity of this vulnerability has been assessed as Low.

When exploited, this vulnerability causes the node to execute history compaction in a loop, resulting in excessive CPU usage and log spam. This can potentially affect system performance and storage management capabilities (GitHub Advisory).

Users are advised to upgrade to the patched versions: etcd version 3.4.10 or 3.3.23, which address this vulnerability. For those unable to upgrade immediately, it is recommended to ensure that compaction retention values are properly validated before being passed to the system (GitHub Advisory).