CVE-2022-3326
MEDIUM5.4EPSS 0.19%rdiffweb vulnerable to password complexity bypass leading to weak passwords
發布日:2022/9/30修改日:2024/10/26
描述
ikus060/rdiffweb prior to 2.4.9 allows a user to set there password to all spaces. While rdiffweb has a password policy requiring passwords to be between 8 and 128 characters, it does not validate the password entropy, allowing users to bypass password complexity requirements with weak passwords. This issue has been fixed in version 2.4.9. No workarounds are known to exist.
受影響套件(2)
- PyPI/rdiffwebfrom 0, < 2.4.9
- PyPI/rdiffwebfrom 0, < ee98e5af78ec60db8a17fef6ea0ca250e3f31eec | from 0, < 2.4.9
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-3326
- PATCHhttps://github.com/ikus060/rdiffweb
- WEBhttps://github.com/ikus060/rdiffweb/commit/ee98e5af78ec60db8a17fef6ea0ca250e3f31eec
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-297.yaml
- WEBhttps://huntr.dev/bounties/1f6a5e49-23f2-45f7-8661-19f9cee8ae97