CVE-2023-28835

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4

Description The issue is related to the generated fallback password when creating a share in Nextcloud Server, which uses a weak complexity random number generator. This makes the password guessable to an attacker willing to brute force it, especially when the sharer does not change the password. The vulnerability can be exploited by a remote attacker to gain unauthorized access to protected information. It only affects users who do not have a password policy enabled.

Recommendations For Nextcloud Server versions prior to 24.0.10, upgrade to 24.0.10. For Nextcloud Server versions prior to 25.0.4, upgrade to 25.0.4. As a temporary workaround for users unable to upgrade, enable a password policy to mitigate the issue.

Exploit

Fix

Unrestricted File Upload

OS Command Injection

Path traversal

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-78CWE-22CWE-400CWE-338

Related Identifiers

ALT-PU-2023-1517

ALT-PU-2023-1547

BDU:2023-02258

BDU:2023-02259

BDU:2023-02260

BDU:2023-02262

CVE-2023-28835

GHSA-7W2P-RP9M-9XP9

Affected Products

Alt Linux

Nextcloud Server

Red Os

CVE-2023-28835

Weakness Enumeration

Related Identifiers

Affected Products

References · 22