Miggo Logo
Miggo Vulnerability Database
CVE-2022-3326

CVE-2022-3326: rdiffweb vulnerable to password complexity bypass leading to weak passwords

5.4

CVSS Score
3.0

Basic Information

CVE ID
CVE-2022-3326
GHSA ID
GHSA-8wxf-c45w-g66g
EPSS Score
0.36288%
CWE
CWE-521
Published
9/30/2022
Updated
10/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip< 2.4.92.4.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient password complexity checks. The key evidence is in the store.py diff where:

  1. Pre-patch code only checked password length (cfg.password_min_length/max_length)
  2. Post-patch added zxcvbn password scoring to enforce entropy
  3. CVE description explicitly mentions missing entropy validation
  4. Test cases were updated to use stronger passwords (e.g., 'pr3j5Dwi' instead of 'password') The set_password function is the core authentication mechanism where password policies should be enforced, making it the clear vulnerable point before entropy checks were added.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

ikus***/r*i**w** prior to *.*.* *llows * us*r to s*t t**r* p*sswor* to *ll sp***s. W*il* r*i**w** **s * p*sswor* poli*y r*quirin* p*sswor*s to ** **tw**n * *n* *** ***r**t*rs, it *o*s not v*li**t* t** p*sswor* *ntropy, *llowin* us*rs to *yp*ss p*sswo

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt p*sswor* *ompl*xity ****ks. T** k*y *vi**n** is in t** stor*.py *i** w**r*: *. Pr*-p*t** *o** only ****k** p*sswor* l*n*t* (***.p*sswor*_min_l*n*t*/m*x_l*n*t*) *. Post-p*t** ***** zx*v*n p*sswor* s*orin* to *