Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04d3hmLWM0NXctZzY2Z84AAvIb
rdiffweb vulnerable to password complexity bypass leading to weak passwords
ikus060/rdiffweb prior to 2.4.9 allows a user to set there password to all spaces. While rdiffweb has a password policy requiring passwords to be between 8 and 128 characters, it does not validate the password entropy, allowing users to bypass password complexity requirements with weak passwords. This issue has been fixed in version 2.4.9. No workarounds are known to exist.
Permalink: https://github.com/advisories/GHSA-8wxf-c45w-g66gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04d3hmLWM0NXctZzY2Z84AAvIb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 8 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-8wxf-c45w-g66g, CVE-2022-3326
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-3326
- https://github.com/ikus060/rdiffweb/commit/ee98e5af78ec60db8a17fef6ea0ca250e3f31eec
- https://huntr.dev/bounties/1f6a5e49-23f2-45f7-8661-19f9cee8ae97
- https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-297.yaml
- https://github.com/advisories/GHSA-8wxf-c45w-g66g
Affected Packages
pypi:rdiffweb
Versions: < 2.4.9Fixed in: 2.4.9