PT-2023-23726 · Nextcloud+1 · Nextcloud Server+1
Hackitbharat
·
Published
2023-03-27
·
Updated
2023-12-07
·
CVE-2023-32319
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud server versions 24.0.0 through 24.0.10
Nextcloud server versions 25.0.0 through 25.0.4
Nextcloud server versions prior to 26.0.0
Description
The issue is related to missing brute-force protection on the WebDAV endpoints via the basic auth header, allowing brute-forcing of user credentials when the provided user name was not an email address.
Recommendations
For Nextcloud server versions 24.0.0 through 24.0.10, upgrade to version 24.0.11 or later.
For Nextcloud server versions 25.0.0 through 25.0.4, upgrade to version 25.0.5 or later.
For Nextcloud server versions prior to 26.0.0, upgrade to version 26.0.0 or later.
Exploit
Fix
Improper Restriction of Excessive Authentication Attempts
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Nextcloud Server