CVE-2023-22451

2023-01-0216:15:11

CWE-521

[email protected]

web.nvd.nist.gov

cve-2023-22451

kiwi tcms

open source

test management

password validation

security issue

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.3%

JSON

Kiwi TCMS is an open source test management system. In version 11.6 and prior, when users register new accounts and/or change passwords, there is no validation in place which would prevent them from picking an easy to guess password. This issue is resolved by providing defaults for the AUTH_PASSWORD_VALIDATORS configuration setting. As of version 11.7, the password can’t be too similar to other personal information, must contain at least 10 characters, can’t be a commonly used password, and can’t be entirely numeric. As a workaround, an administrator may reset all passwords in Kiwi TCMS if they think a weak password may have been chosen.

Affected configurations

Vulners

NVD

Node

kiwitcmskiwi_tcmsRange≤11.6

VendorProductVersionCPE
kiwitcmskiwi_tcms*cpe:2.3:a:kiwitcms:kiwi_tcms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
kiwitcms	kiwi_tcms	*	cpe:2.3:a:kiwitcms:kiwi_tcms::::::::

CNA Affected

[
  {
    "vendor": "kiwitcms",
    "product": "Kiwi",
    "versions": [
      {
        "version": "<= 11.6",
        "status": "affected"
      }
    ]
  }
]