PT-2023-22004 · Nextcloud+1 · Nextcloud Enterprise Server+2
Hackitbharat
·
Published
2023-03-27
·
Updated
2023-05-04
·
CVE-2023-28847
CVSS v3.1
3.1
Low
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions 24.0.0 through 24.0.10
Nextcloud Server versions 25.0.0 through 25.0.4
Nextcloud Server Enterprise versions 23.0.0 through 23.0.12.5
Nextcloud Server Enterprise versions 24.0.0 through 24.0.10
Nextcloud Server Enterprise versions 25.0.0 through 25.0.4
Description
The issue allows an attacker to brute force passwords of share links without restriction. This is possible because the attacker is not restricted in verifying passwords of share links.
Recommendations
For Nextcloud Server versions 24.0.0 through 24.0.10, update to version 24.0.11 or later.
For Nextcloud Server versions 25.0.0 through 25.0.4, update to version 25.0.5 or later.
For Nextcloud Server Enterprise versions 23.0.0 through 23.0.12.5, update to version 23.0.12.6 or later.
For Nextcloud Server Enterprise versions 24.0.0 through 24.0.10, update to version 24.0.11 or later.
For Nextcloud Server Enterprise versions 25.0.0 through 25.0.4, update to version 25.0.5 or later.
Exploit
Fix
Improper Restriction of Excessive Authentication Attempts
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Nextcloud Server
Nextcloud Enterprise Server