rdiffweb vulnerable to password complexity bypass leading to weak passwords

GHSA-8wxf-c45w-g66g · CVE-2022-3326 · PYSEC-2022-297

Published Sep 30, 2022 · Modified Oct 26, 2024

Description

ikus060/rdiffweb prior to 2.4.9 allows a user to set there password to all spaces. While rdiffweb has a password policy requiring passwords to be between 8 and 128 characters, it does not validate the password entropy, allowing users to bypass password complexity requirements with weak passwords. This issue has been fixed in version 2.4.9. No workarounds are known to exist.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-3326
WEB https://github.com/ikus060/rdiffweb/commit/ee98e5af78ec60db8a17fef6ea0ca250e3f31eec
PACKAGE https://github.com/ikus060/rdiffweb
WEB https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-297.yaml
WEB https://huntr.dev/bounties/1f6a5e49-23f2-45f7-8661-19f9cee8ae97

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes