CollabNet Subversion Edge Management Weak Password Policy

2015.06.30

Credit: otr

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Vuln Title: The CollabNet Subversion Edge Management Frontend does not
# implement a strong password policy
#
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Lack of defensive measures
#
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
Timeline:
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
Summary:
The CollabNet Subversion Edge Management does not implement a strong password
policy. Passwords like "aaaaa" are allowed as the only requirement is that the
password is at least 5 characters long
Fix proposal:
Allow for a configuration option that enforces high password complexity.
Vendor fix:
The new default for passwords is to require at least 3 of the following
character classes: uppercase, lowercase, digits, and special characters. A
minimum length of 8 characters is also configurable.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CollabNet Subversion Edge Management Weak Password Policy

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.