CVE-2022-29243
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextcloud | security-advisories | < 22.2.7 | affected |
| nextcloud | security-advisories | >= 23.0.0, < 23.0.4 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
- CWE-400: CWE-400: Uncontrolled Resource Consumption
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w
- https://github.com/nextcloud/server/pull/31658
- https://hackerone.com/reports/1153138
- https://security.gentoo.org/glsa/202208-17
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w
- https://github.com/nextcloud/server/pull/31658
- https://hackerone.com/reports/1153138
- https://security.gentoo.org/glsa/202208-17
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.