Vulnerability-Lookup

CVE-2022-3376 (GCVE-0-2022-3376)

Vulnerability from cvelistv5 – Published: 2022-10-06 00:00 – Updated: 2024-08-03 01:07

Title

Weak Password Requirements in ikus060/rdiffweb

Summary

Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

Severity ?

3.5 (Low)


                        
                          CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE

CWE-521 - Weak Password Requirements

Assigner

@huntrdev

References

URL

	Vendor	Product	Version
	ikus060	ikus060/rdiffweb	Affected: unspecified , < 2.5.0a4 (custom)

PYSEC-2022-43157

Vulnerability from pysec - Published: 2022-10-06 18:16 - Updated: 2024-11-21 14:23

Details

Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Impacted products

Name	purl
rdiffweb	pkg:pypi/rdiffweb

Aliases

CVE-2022-3376

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rdiffweb",
        "purl": "pkg:pypi/rdiffweb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2ffc2af65c8f8113b06e0b89929c604bcdf844b9"
            }
          ],
          "repo": "https://github.com/ikus060/rdiffweb",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.11a1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.0",
        "0.10.2",
        "0.10.3",
        "0.10.4",
        "0.10.5",
        "0.10.6",
        "0.10.7",
        "0.10.8",
        "0.10.9",
        "0.9.2.dev1",
        "0.9.3",
        "0.9.4",
        "0.9.5",
        "1.0.0",
        "1.0.0a1",
        "1.0.0a2",
        "1.0.0a3",
        "1.0.0a4",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.1.0",
        "1.2.0",
        "1.2.1",
        "1.2.2",
        "1.3.0",
        "1.3.1",
        "1.3.1b1",
        "1.3.1b2",
        "1.3.2",
        "1.4.0",
        "1.4.0b1",
        "1.4.0b2",
        "1.4.0b3",
        "1.4.0b4",
        "1.4.0b5",
        "1.4.1b1",
        "1.4.1b2",
        "1.4.1b3",
        "1.5.0",
        "1.5.1b1",
        "1.5.1b2",
        "1.6.0b1",
        "2.0.1b2",
        "2.0.1b3",
        "2.0.2",
        "2.0.3a1",
        "2.0.3a2",
        "2.0.3a3",
        "2.0.3a4",
        "2.0.3a5",
        "2.0.3a6",
        "2.0.3a7",
        "2.1.0",
        "2.2.0",
        "2.2.0.dev1",
        "2.2.0a1",
        "2.2.0a2",
        "2.2.0a3",
        "2.2.0a4",
        "2.2.0a5",
        "2.2.0a6",
        "2.2.1",
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.3.3",
        "2.3.4",
        "2.3.5",
        "2.3.6",
        "2.3.7",
        "2.3.8",
        "2.3.9",
        "2.4.0",
        "2.4.1",
        "2.4.10",
        "2.4.2",
        "2.4.3",
        "2.4.4",
        "2.4.5",
        "2.4.6",
        "2.4.7",
        "2.4.8",
        "2.4.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3376"
  ],
  "details": "Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.",
  "id": "PYSEC-2022-43157",
  "modified": "2024-11-21T14:23:00.333240+00:00",
  "published": "2022-10-06T18:16:00+00:00",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9"
    },
    {
      "type": "EVIDENCE",
      "url": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed"
    },
    {
      "type": "FIX",
      "url": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WR6-FJ4X-893V

Vulnerability from github – Published: 2022-10-06 18:52 – Updated: 2024-11-22 20:17

Summary

rdiffweb allows a new password to be the same as the previous password

Details

rdiffweb prior to 2.5.0a4 allows users to set their new password to be the same as the old password during a password reset. Version 2.5.0a4 enforces a password policy in which a new password cannot be the same as the old one.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rdiffweb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-521"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-06T20:10:38Z",
    "nvd_published_at": "2022-10-06T18:16:00Z",
    "severity": "MODERATE"
  },
  "details": "rdiffweb prior to 2.5.0a4 allows users to set their new password to be the same as the old password during a password reset. Version 2.5.0a4 enforces a password policy in which a new password cannot be the same as the old one.",
  "id": "GHSA-7wr6-fj4x-893v",
  "modified": "2024-11-22T20:17:33Z",
  "published": "2022-10-06T18:52:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ikus060/rdiffweb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-43157.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rdiffweb allows a new password to be the same as the previous password"
}

FKIE_CVE-2022-3376

Vulnerability from fkie_nvd - Published: 2022-10-06 18:16 - Updated: 2024-11-21 07:19

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

References

URL	Tags
security@huntr.dev	https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9	Patch, Third Party Advisory
security@huntr.dev	https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed	Exploit, Patch, Third Party Advisory

Impacted products

Vendor	Product	Version
ikus-soft	rdiffweb	*
ikus-soft	rdiffweb	2.5.0
ikus-soft	rdiffweb	2.5.0
ikus-soft	rdiffweb	2.5.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ikus-soft:rdiffweb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB8BEAE7-49D4-46D5-86FD-BBB48BA14234",
              "versionEndIncluding": "2.4.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ikus-soft:rdiffweb:2.5.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "E967F2E5-0F47-436B-9DC7-4F8D051F5615",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ikus-soft:rdiffweb:2.5.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "039D2014-4F4C-4B3F-81B1-EFA08EE3D513",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ikus-soft:rdiffweb:2.5.0:alpha3:*:*:*:*:*:*",
              "matchCriteriaId": "37EFE887-5C53-48EA-974C-25F36D6014EC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4."
    },
    {
      "lang": "es",
      "value": "Unos Requisitos de Contrase\u00f1a D\u00e9biles en el repositorio de GitHub ikus060/rdiffweb versiones anteriores a 2.5.0a4"
    }
  ],
  "id": "CVE-2022-3376",
  "lastModified": "2024-11-21T07:19:24.040",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "LOW",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
          "version": "3.0"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 2.5,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-10-06T18:16:21.107",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-521"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-521"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2022-3376

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

Aliases

CVE-2022-3376

Aliases

CVE-2022-3376

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-3376",
    "id": "GSD-2022-3376"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-3376"
      ],
      "details": "Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.",
      "id": "GSD-2022-3376",
      "modified": "2023-12-13T01:19:40.513630Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.dev",
        "ID": "CVE-2022-3376",
        "STATE": "PUBLIC",
        "TITLE": "Weak Password Requirements in ikus060/rdiffweb"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "ikus060/rdiffweb",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.5.0a4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "ikus060"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "LOW",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-521 Weak Password Requirements"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed",
            "refsource": "CONFIRM",
            "url": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed"
          },
          {
            "name": "https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9",
            "refsource": "MISC",
            "url": "https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9"
          }
        ]
      },
      "source": {
        "advisory": "a9021e93-6d18-4ac1-98ce-550c4697a4ed",
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.5.0",
          "affected_versions": "All versions before 2.5.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-10-06",
          "description": "Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.",
          "fixed_versions": [
            "2.5.0"
          ],
          "identifier": "CVE-2022-3376",
          "identifiers": [
            "GHSA-7wr6-fj4x-893v",
            "CVE-2022-3376"
          ],
          "not_impacted": "All versions starting from 2.5.0",
          "package_slug": "pypi/rdiffweb",
          "pubdate": "2022-10-06",
          "solution": "Upgrade to version 2.5.0 or above.",
          "title": "rdiffweb allows a new password to be the same as the previous password",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-3376",
            "https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9",
            "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed",
            "https://github.com/advisories/GHSA-7wr6-fj4x-893v"
          ],
          "uuid": "2dcd19b3-108c-4979-9784-f110d74b1216"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:ikus-soft:rdiffweb:2.5.0:alpha1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ikus-soft:rdiffweb:2.5.0:alpha2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ikus-soft:rdiffweb:2.5.0:alpha3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:ikus-soft:rdiffweb:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.4.10",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-3376"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.5.0a4."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-521"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ikus060/rdiffweb/commit/2ffc2af65c8f8113b06e0b89929c604bcdf844b9"
            },
            {
              "name": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://huntr.dev/bounties/a9021e93-6d18-4ac1-98ce-550c4697a4ed"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-10-12T02:58Z",
      "publishedDate": "2022-10-06T18:16Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-3376 (GCVE-0-2022-3376)

PYSEC-2022-43157

GHSA-7WR6-FJ4X-893V

FKIE_CVE-2022-3376

GSD-2022-3376

Tags

Sightings

Nomenclature