Lucene search

GitHub_MCVELIST:CVE-2023-22451

HistoryJan 02, 2023 - 3:56 p.m.

CVE-2023-22451 Weak password requirements in Kiwi TCMS

2023-01-0215:56:43

CWE-521

GitHub_M

www.cve.org

kiwi tcms

weak password

validation

default setting

version 11.7

administrator

resetpasswords

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

8.9

Confidence

High

EPSS

0.002

Percentile

55.8%

JSON

Kiwi TCMS is an open source test management system. In version 11.6 and prior, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the AUTH_PASSWORD_VALIDATORS configuration setting. As of version 11.7, the password can’t be too similar to other personal information, must contain at least 10 characters, can’t be a commonly used password, and can’t be entirely numeric. As a workaround, an administrator may reset all passwords in Kiwi TCMS if they think a weak password may have been chosen.

CNA Affected

[
  {
    "vendor": "kiwitcms",
    "product": "Kiwi",
    "versions": [
      {
        "version": "<= 11.6",
        "status": "affected"
      }
    ]
  }
]

References

github.com/kiwitcms/Kiwi/commit/3759fb68aed36315cdde9fc573b2fe7c11544985

github.com/kiwitcms/Kiwi/security/advisories/GHSA-496x-2jqf-hp7g

huntr.dev/bounties/32a873c8-f605-4aae-9272-d80985ef2b73

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

8.9

Confidence

High

EPSS

0.002

Percentile

55.8%

JSON

Related for CVELIST:CVE-2023-22451