PT-2023-2468 · Nextcloud+2 · Nextcloud Server+2

Nickvergessen

Publicado

2023-03-27

Atualizado

2023-04-18

CVE-2023-28835

CVSS v2.0

Alta

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4

Description The issue is related to the generated fallback password when creating a share in Nextcloud Server, which uses a weak complexity random number generator. This makes the password guessable to an attacker willing to brute force it, especially when the sharer does not change the password. The vulnerability can be exploited by a remote attacker to gain unauthorized access to protected information. It only affects users who do not have a password policy enabled.

Recommendations For Nextcloud Server versions prior to 24.0.10, upgrade to 24.0.10. For Nextcloud Server versions prior to 25.0.4, upgrade to 25.0.4. As a temporary workaround for users unable to upgrade, enable a password policy to mitigate the issue.

Exploit

Correção

Unrestricted File Upload

OS Command Injection

Path traversal

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-434CWE-78CWE-22CWE-400CWE-338

Identificadores relacionados

ALT-PU-2023-1517

ALT-PU-2023-1547

BDU:2023-02258

BDU:2023-02259

BDU:2023-02260

BDU:2023-02262

CVE-2023-28835

GHSA-7W2P-RP9M-9XP9

Produtos afetados

Alt Linux

Nextcloud Server

Red Os

PT-2023-2468 · Nextcloud+2 · Nextcloud Server+2

CVE-2023-28835

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 22