vulnerability issues: Weak Password Policy

[mukulk2020]

Stratos Version

Stratos 4.4.0

Frontend Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• npm run start
• [ *] Other (please specify below)

Backend (Jet Stream) Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, single container deploying all components
• Other (please specify below)

Expected behaviour

To mitigate the risk of easily guessed passwords facilitating unauthorized access there are two solutions: introduce additional authentication controls (i.e. two-factor authentication) or introduce a strong password policy. The simplest and cheapest of these is the introduction of a strong password policy that ensures password length, complexity, reuse and aging.

1. A strong password must be at least 8 characters long.
2. It should not contain any of your personal informationspecifically your real name, username, or even your company name.
3. It must be uniquefrom your previously used passwords.
4. It should not contain any word spelled completely.
5. It should contain characters from the four primary categories, including: uppercase letters, lowercase letters, numbers, and characters

Actual behaviour

There is no validation at all .

Steps to reproduce the behavior

1. Login with any user from Stratos Dashboard.
2. Go to top right hand side -> click on My profile -> edit userinfo
3. Enter the new password and save it .

Log output covering before error and any error statements

Insert log hereCopy

Detailed Description

There is no validation check on this new password field. User can able to put anything , of any length and with any character (and saved as well).

Context

Possible Implementation