Impact
When users register new accounts and/or change passwords there is no validation in place which would prevent them from picking an easy to guess password.
Patches
This issue is resolved by providing sane defaults for the AUTH_PASSWORD_VALIDATORS configuration setting:
- password can’t be too similar to your other personal information.
- password must contain at least 10 characters.
- password can’t be a commonly used password.
- password can’t be entirely numeric.
Workarounds
An administrator may reset all passwords in Kiwi TCMS if they think a weak one may have been chosen. For example execute the following code snippet in the Kiwi TCMS Python shell:
import uuid
from django.contrib.auth.models import User
for user in User.objects.all():
user.set_password(uuid.uuid4().hex)
user.save()
Note that this is resetting each user's password to a random one!
References
Disclosed by spyata
Impact
When users register new accounts and/or change passwords there is no validation in place which would prevent them from picking an easy to guess password.
Patches
This issue is resolved by providing sane defaults for the
AUTH_PASSWORD_VALIDATORSconfiguration setting:Workarounds
An administrator may reset all passwords in Kiwi TCMS if they think a weak one may have been chosen. For example execute the following code snippet in the Kiwi TCMS Python shell:
Note that this is resetting each user's password to a random one!
References
Disclosed by spyata