CVE-2022-3326

Name of the Vulnerable Software and Affected Versions ikus060/rdiffweb versions prior to 2.4.9

Description The issue concerns weak password requirements. Specifically, it allows users to set passwords with all spaces, bypassing password complexity requirements due to a lack of password entropy validation. The password policy requires passwords to be between 8 and 128 characters, but this does not prevent the use of weak passwords. This issue has been fixed in version 2.4.9.

Recommendations For versions prior to 2.4.9, update to version 2.4.9 to resolve the issue. As a temporary workaround, consider enforcing a stronger password policy that includes validation of password entropy to minimize the risk of exploitation. Restrict access to password settings until the update can be applied.