[jira] [Updated] (JSPWIKI-80) Ounce Labs Security Finding: Authentication - Password Policy Rules Not Available

Sat, 15 Nov 2025 17:25:05 -0800 


     [ 
https://issues.apache.org/jira/browse/JSPWIKI-80?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alex O'Ree updated JSPWIKI-80:
------------------------------
    Epic Link: JSPWIKI-1244

> Ounce Labs Security Finding: Authentication - Password Policy Rules Not 
> Available
> ---------------------------------------------------------------------------------
>
>                 Key: JSPWIKI-80
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-80
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication & Authorization
>    Affects Versions: 2.4.104
>            Reporter: Cristian Borlovan
>            Assignee: Andrew R. Jaquith
>            Priority: Major
>             Fix For: STRIPES/JCR-3.1
>
>         Attachments: report.pdf
>
>
> Description: 
> The application currently does not provide the means for application 
> administrators to enforce strong password policies.  Without strong password 
> policies, it is highly likely that end users will select weak passwords and 
> the application will allow the use of these weak passwords. If usability 
> requirements dictate allowing of weaker passwords, it is still desirable for 
> certain JSPWiki administrators to have this configurable option of enforcing 
> certain password policies.  Currently the only enforcement in place is that 
> the password can not be null or be that of the username.
> Recommendation:
> Consider implementing the capability to allow for JSPWiki administrators the 
> capability to enforce stronger password complexity policies.  For example, 
> consider password length, character enforcement rules dictating special 
> characters, etc. 
> Related Code Locations: 
> 1 findings:
>   Name:           
> com.ecyrd.jspwiki.auth.UserManager.validateProfile(com.ecyrd.jspwiki.WikiContext;com.ecyrd.jspwiki.auth.user.UserProfile):void
>   Type:           Vulnerability.Authentication
>   Severity:       Medium
>   Classification: Vulnerability
>   File Name:      
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
>   Line / Col:     425 / 0
>   Context:        password . java.lang.String.equals ( password2 )
>     -----------------------------------



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to