From 8b1cd036ffa83204b29f53bd74fae190e9187781 Mon Sep 17 00:00:00 2001
From: Benjamin Wang <wachao@vmware.com>
Date: Thu, 6 Apr 2023 16:48:57 +0800
Subject: [PATCH] security: remove password after authenticating the user

fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235

Signed-off-by: Benjamin Wang <wachao@vmware.com>
---
 server/etcdserver/v3_server.go         | 7 +++++++
 tests/e2e/ctl_v3_auth_security_test.go | 1 +
 2 files changed, 8 insertions(+)

diff --git a/server/etcdserver/v3_server.go b/server/etcdserver/v3_server.go
index 4f1cd6b13..6fcc1b4a3 100644
--- a/server/etcdserver/v3_server.go
+++ b/server/etcdserver/v3_server.go
@@ -445,6 +445,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
 
 	lg := s.Logger()
 
+	// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
+	defer func() {
+		if r != nil {
+			r.Password = ""
+		}
+	}()
+
 	var resp proto.Message
 	for {
 		checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)
diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go
index 789c9b3cb..754fa4bc1 100644
--- a/tests/e2e/ctl_v3_auth_security_test.go
+++ b/tests/e2e/ctl_v3_auth_security_test.go
@@ -21,6 +21,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
 	"go.etcd.io/etcd/tests/v3/framework/e2e"
 )