Weak Password Requirements in cloudexplorer-dev/cloudexplorer-lite

Vulnerability

CloudExplorer Lite prior to version 1.2.0 did not enforce password complexity requirements during password reset. The resetPwd endpoint in framework/sdk/backend/src/main/java/com/fit2cloud/base/service/impl only checked that the old password matched and that the user was locally created, but did not validate the new password's strength. This allowed users to set weak passwords (e.g., short, no special characters) [1][2].

Exploitation

An attacker with knowledge of a user's old password (or who can intercept a password reset request) could set a weak new password. Alternatively, an attacker could brute-force login attempts against accounts with weak passwords. The lack of complexity requirements reduces the search space for password guessing [2].

Impact

Successful exploitation leads to unauthorized access to the affected CloudExplorer Lite account. Depending on the user's privileges, this could result in disclosure or modification of cloud environment data managed by the platform [2].

Mitigation

The vulnerability is fixed in version 1.2.0. The commit [1] adds a regex check requiring passwords to be 8-30 characters with at least one uppercase letter, one lowercase letter, one digit, and one special character, and also prevents setting the same password as the old one. Users should upgrade to v1.2.0 or later. No workaround is available.