← Back

CVE-2023-25818

nvd nist
Published: Mar 27, 2023Modified: Nov 21, 2024

JSON object

Loading...
7.1
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Exploitability: 2.8 / Impact: 4.2
Source: NVD

Description

Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resources to brute force. None the less it is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. There are no known workarounds for this vulnerability.

Affected (7)

Nextcloud
1 product
Nextcloud Server
Configuration A
7 vulnerable
Vulnerable SoftwareAffected Versions
Nextcloud
Nextcloud Server
From 24.0.0 to 24.0.10
Nextcloud Server
From 25.0.0 to 25.0.4
Nextcloud Server
From 21.0.0 to 21.0.9.10
Nextcloud Server
From 22.0.0 to 22.2.10.10
Nextcloud Server
From 23.0.0 to 23.0.12.5
Nextcloud Server
From 24.0.0 to 24.0.10
Nextcloud Server
From 25.0.0 to 25.0.4

Related CWEs

CWE-307
Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (6)

Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
Issue Tracking
Source: security-advisories@github.com
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Source: af854a3a-2127-422b-91ae-364da2661108
Patch

Timeline

No history available yet.