Key Information Vulnerability Name Insecure Password Handling Affected Versions <= 2.34.0 Fixed Version 2.34.1 Vulnerability Description Issue 1: Users can set weak passwords, such as "secret" or passwords consisting of a single digit. Issue 2: The default password for the initial admin account is "admin", and there is no enforcement to change it. Issue 3: Lack of protection against brute force attacks. Impact Attackers can gain access to all user passwords via brute force attacks. Proof of Concept Provides an HTTP communication example demonstrating how to configure weak passwords and perform brute force testing. Recommended Mitigations Implement password policies to enforce minimum length and complexity requirements. Require users to change the default password upon first login. Implement brute force protection by limiting the number of login attempts within a specified time period. Timeline 2020-08-27: Vulnerability discovered 2020-09-16: Disclosed to the project 2020-09-29: Project repository updated with recommendations 2020-09-30: CVE assigned to GitHub 2020-09-30: Fixed in version 2.34.1 References OWASP Authentication Cheat Sheet NIST Special Publication 800-63B, Digital Identity Guidelines - Passwords Periodic Passwords Common Weaknesses CWE-307: Improper Restriction of Excessive Authentication Attempts CWE-521: Weak Password Requirements CWE-1839: Use of Default Credentials