PT-2022-20541 · Nextcloud+1 · Nextcloud Server+1
Nickvergessen
·
Published
2022-08-04
·
Updated
2022-09-02
·
CVE-2022-31118
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 22.2.9
Nextcloud Server versions prior to 23.0.6
Nextcloud Server versions prior to 24.0.2
Description
The issue affects Nextcloud server, an open source personal cloud solution. An attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares, which are 15 characters long and contain
a-zA-Z0-9.Recommendations
For versions prior to 22.2.9, upgrade to 22.2.9.
For versions prior to 23.0.6, upgrade to 23.0.6.
For versions prior to 24.0.2, upgrade to 24.0.2.
As a temporary workaround, users unable to upgrade may disable federated sharing via the Admin Sharing settings in "index.php/settings/admin/sharing".
Exploit
Fix
Improper Restriction of Excessive Authentication Attempts
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Nextcloud Server