Fluid Attacks Database

Description

rdiffweb vulnerable to password complexity bypass leading to weak passwords ikus060/rdiffweb prior to 2.4.9 allows a user to set there password to all spaces. While rdiffweb has a password policy requiring passwords to be between 8 and 128 characters, it does not validate the password entropy, allowing users to bypass password complexity requirements with weak passwords. This issue has been fixed in version 2.4.9. No workarounds are known to exist.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	rdiffweb	>=0 <2.4.9	2.4.9

Aliases

1. CVE-2022-33262. NVD-2022-33263. OSV-2022-33264. GCVE-2022-3326

References

1. https://github.com/ikus060/rdiffweb/commit/ee98e5af78ec60db8a17fef6ea0ca250e3f31eec2. https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-297.yaml3. https://huntr.dev/bounties/1f6a5e49-23f2-45f7-8661-19f9cee8ae97

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.