Headline
GHSA-5mrf-j8v6-f45g: LibreNMS has Weak Password Policy
Summary
A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks.
Details
Vulnerable Component: User creation / password definition
The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.
PoC
Log in to the application using an Administrator account.
Navigate to the user management section:
Create a new user account using the password
12345678.
<img width="1103" height="852" alt="image" src="https://github.com/user-attachments/assets/a20d4226-9f86-46ee-a4e6-45be91bb6b7b" />
- The application accepts the weak password without restrictions and creates the account successfully.
<img width="1359" height="487" alt="image" src="https://github.com/user-attachments/assets/9bec15bf-b38f-448b-8f98-acca5724e143" />
Impact
Weak password policy vulnerabilities can have severe consequences, including:
Increased risk of brute-force and credential stuffing attacks
Unauthorized access to user or administrative accounts
Privilege escalation through compromised credentials
Degradation of the overall security posture of the platform
Mitigation
Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters).
Block the use of commonly known weak passwords (e.g.,
12345678,password,admin,qwerty).
Summary
A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks.
Details
Vulnerable Component: User creation / password definition
The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.
PoC
Log in to the application using an Administrator account.
Navigate to the user management section:
Create a new user account using the password 12345678.
- The application accepts the weak password without restrictions and creates the account successfully.
Impact
Weak password policy vulnerabilities can have severe consequences, including:
Increased risk of brute-force and credential stuffing attacks
Unauthorized access to user or administrative accounts
Privilege escalation through compromised credentials
Degradation of the overall security posture of the platform
Mitigation
Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters).
Block the use of commonly known weak passwords (e.g., 12345678, password, admin, qwerty).
References
- GHSA-5mrf-j8v6-f45g