CVE-2022-3326 – rdiffweb

Package

Manager: pip
Name: rdiffweb
Vulnerable Version: >=0 <2.4.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00159 pctl0.37293

Details

rdiffweb vulnerable to password complexity bypass leading to weak passwords ikus060/rdiffweb prior to 2.4.9 allows a user to set there password to all spaces. While rdiffweb has a password policy requiring passwords to be between 8 and 128 characters, it does not validate the password entropy, allowing users to bypass password complexity requirements with weak passwords. This issue has been fixed in version 2.4.9. No workarounds are known to exist.

Metadata

Created: 2022-09-30T00:00:47Z
Modified: 2024-10-26T18:38:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-8wxf-c45w-g66g/GHSA-8wxf-c45w-g66g.json
CWE IDs: ["CWE-521"]
Alternative ID: GHSA-8wxf-c45w-g66g
Finding: F035
Auto approve: 1