Weak Password Requirements in apolloconfig/apollo

Valid

Reported on

Sep 2nd 2021


✍️ Description

The Application does not have control set in password complexity. It is possible to add a user with a single character password in the application.

🕵️‍♂️ Proof of Concept

Adding the user.

POST /users HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 63
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://xxx.xxx.xxx.xxx
Referer: http://xxx.xxx.xxx.xxx/user-manage.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: NG_TRANSLATE_LANG_KEY=en; JSESSIONID=B837CA94445BBE1B794DA8A75BAB9D24
Connection: close

{"username":"jajaja","password":"1","email":"jajaja@gmail.com"}

Response when the user is added.

HTTP/1.1 200 
Date: Thu, 02 Sep 2021 08:23:52 GMT
Content-Length: 0
Connection: close
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: SAMEORIGIN

Then the user can login with 'jajaja' as username and '1' as password.

💥 Impact

Weak passwords can be guessable or attackers can brute-force the password if the length of the password is very small. So, it is recommended to set a secure password policy so that the users can't use weak passwords.

We have contacted a member of the apolloconfig/apollo team and are waiting to hear back 3 months ago
apolloconfig/apollo maintainer validated this vulnerability 3 months ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
apolloconfig/apollo maintainer
3 months ago

Maintainer


Thanks for the report! Since only admin users are allowed to update passwords, so we think this is a low severity issue and a feature request is created in the github repository: https://github.com/apolloconfig/apollo/issues/3948

Jamie Slome
3 months ago

Admin


@maintainer - great, thanks for the input!

Once you have confirmed a patch for the issue, feel free to confirm fix and we can assign a CVE for you.

If you would like anything adjusted in the CVE, such as severity etc., let us know!

Jason Song confirmed that a fix has been merged on 4a28fb 2 months ago
The fix bounty has been dropped