CVE-2023-32320

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 25.0.7 Nextcloud Server versions prior to 26.0.2 Nextcloud Enterprise Server versions prior to 21.0.9.12 Nextcloud Enterprise Server versions prior to 22.2.10.12 Nextcloud Enterprise Server versions prior to 23.0.12.7 Nextcloud Enterprise Server versions prior to 24.0.12.2

Description The issue is related to a lack of restrictions on authentication attempts, allowing a remote attacker to perform a brute force attack. When multiple requests are sent in parallel, they are all executed even if the number of faulty requests exceeds the limit by the time the response is sent to the client. This enables an attacker to send multiple requests in parallel to brute force protected details, bypassing the configured limit.

Recommendations For Nextcloud Server versions prior to 25.0.7, update to version 25.0.7 or later. For Nextcloud Server versions prior to 26.0.2, update to version 26.0.2 or later. For Nextcloud Enterprise Server versions prior to 21.0.9.12, update to version 21.0.9.12 or later. For Nextcloud Enterprise Server versions prior to 22.2.10.12, update to version 22.2.10.12 or later. For Nextcloud Enterprise Server versions prior to 23.0.12.7, update to version 23.0.12.7 or later. For Nextcloud Enterprise Server versions prior to 24.0.12.2, update to version 24.0.12.2 or later.