Weak Password Requirements in cortezaproject/corteza-server


Reported on

Jul 18th 2021

Passwords shorter than 8 characters are considered to be weak (NIST SP800-63B). Maximum password length should not be set too low, as it will prevent users from creating passphrases. ... It is important to set a maximum password length to prevent long password Denial of Service attacks.

STEPS FOR REPRODUCTION: 1)Go to https://latest.cortezaproject.org/auth/login 2)Create an account 3)Enter the username,email address and password as 'admin' and your account will be created

💥 Impact

Improper secure design principles.

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 2 years ago
Tomaž Jerman
2 years ago

Thank you for reporting; I'll get one of our guys to resolve this

Tomaž Jerman validated this vulnerability 2 years ago
sudheendra17 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Denis Arh marked this as fixed in 2021.9.4 with commit 420b5e a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation