Headline
CVE-2023-34240: The web app does not verify weak password at backend in cloudexplorer-dev/cloudexplorer-lite
Cloudexplorer-lite is an open source cloud software stack. Weak passwords can be easily guessed and are an easy target for brute force attacks. This can lead to an authentication system failure and compromise system security. Versions of cloudexplorer-lite prior to 1.2.0 did not enforce strong passwords. This vulnerability has been fixed in version 1.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Weak passwords can be easily guessed and are an easy target for brute force attacks.
This can lead to an authentication system failure and compromise system security.
Access and login to the demo website: https://cloudexplorer-lite-demo.fit2cloud.com/
At changing password function, the backend does not verify weak passwords so that user can do:
- Set new password as same as old password.
- Set new password by one character, such as 1. This case can bypass frontend check.
Affected versions: <= 1.2.0.
Patches
The vulnerability has been fixed in v1.2.0.
Workarounds
It is recommended to upgrade the version to v1.2.0.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/CloudExplorer-Dev/CloudExplorer-Lite
Email us at xin.bai@fit2cloud.com