Hello !

A high severity vulnerability has been discovered due to the use of github.com/coreos:etcd:3.3.10

Vulnerability description: etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.

Occurrences

github.com/coreos:etcd:3.3.10 is a transitive dependency introduced by the following direct dependency(s):

• github.com/gobuffalo/packr
└─ github.com/spf13:cobra:0.0.5
└─ github.com/spf13:viper:1.3.2
└─ github.com/coreos:etcd:3.3.10
and

• github.com/gobuffalo/packr
└─ github.com/gobuffalo/packr/v2@v2.7.1
└─ github.com/spf13:cobra:0.0.5
└─ github.com/spf13:viper:1.3.2
└─ github.com/coreos:etcd:3.3.10

currently there are 3 CVE at this version (3.3.10) : [CVE-2020-15114] [CVE-2020-15136] [CVE-2020-15115]

Move to the latest version of spf13:cobra v1.2.1 will be able to resolve these vulnerabilities as well as several others of the intermediate versions.

Thanks for your help