From e6c2e380a911ffcfb3dea4f2aef635b8e3553a4b Mon Sep 17 00:00:00 2001
From: Benjamin Wang <wachao@vmware.com>
Date: Thu, 6 Apr 2023 16:48:57 +0800
Subject: [PATCH] security: remove password after authenticating the user

fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235

Signed-off-by: Benjamin Wang <wachao@vmware.com>
---
 server/etcdserver/v3_server.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/server/etcdserver/v3_server.go b/server/etcdserver/v3_server.go
index 0184b8d18..960a7b11f 100644
--- a/server/etcdserver/v3_server.go
+++ b/server/etcdserver/v3_server.go
@@ -454,6 +454,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
 
 	lg := s.Logger()
 
+	// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
+	defer func() {
+		if r != nil {
+			r.Password = ""
+		}
+	}()
+
 	var resp proto.Message
 	for {
 		checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)