PT-2022-26192 · Nextcloud+1 · Nextcloud Server+1
Not_Hackeronefour
·
Published
2022-10-28
·
Updated
2023-01-16
·
CVE-2022-41969
CVSS v3.1
2.4
Low
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 23.0.11
Nextcloud Server versions prior to 24.0.7
Nextcloud Server versions prior to 25.0.0
Description
The issue affects Nextcloud Server, an open source personal cloud server, where prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. This allows an administrator to cause a limited Denial of Service (DoS) attack against their own server.
Recommendations
For versions prior to 23.0.11, update to version 23.0.11 or later to resolve the issue.
For versions prior to 24.0.7, update to version 24.0.7 or later to resolve the issue.
For versions prior to 25.0.0, update to version 25.0.0 or later to resolve the issue.
As a temporary workaround, do not create user accounts with long passwords.
Exploit
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Nextcloud Server