Miggo Logo
Miggo Vulnerability Database
CVE-2023-0569

CVE-2023-0569:
Publify contains Weak Password Requirements

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0569
GHSA ID
GHSA-g7gf-2rqw-5rwx
EPSS Score
0.31783%
CWE
CWE-521
Published
1/29/2023
Updated
2/21/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
publify_corerubygems< 9.2.109.2.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from insufficient password complexity checks. The key evidence is the patch adding :zxcvbnable to Devise modules in User.rb and requiring the devise_zxcvbn gem. Before 9.2.10, the User model only used Devise's standard :validatable which performs basic validations (length >= 8 chars, confirmation match) but doesn't enforce complexity. The test case changes from 'top-secret' to 'top-Secret12!$#' and added password strength tests confirm the absence of complexity validation was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**k P*sswor* R*quir*m*nts in *it*u* r*pository pu*li*y/pu*li*y prior to *.*.**.

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt p*sswor* *ompl*xity ****ks. T** k*y *vi**n** is t** p*t** ***in* :zx*v*n**l* to **vis* mo*ul*s in Us*r.r* *n* r*quirin* t** **vis*_zx*v*n **m. ***or* *.*.**, t** Us*r mo**l only us** **vis*'s st*n**r* :v*li