CVE-2022-31118
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Summary
Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (a-zA-Z0-9 ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in index.php/settings/admin/sharing.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextcloud | security-advisories | < 22.2.9 | affected |
| nextcloud | security-advisories | >= 23.0.0, < 23.0.6 | affected |
| nextcloud | security-advisories | >= 24.0.0, < 24.0.2 | affected |
Weaknesses
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq
- https://github.com/nextcloud/server/pull/32843/commits/6eb692da7fe73c899cb6a8d2aa045eddb1f14018
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq
- https://github.com/nextcloud/server/pull/32843/commits/6eb692da7fe73c899cb6a8d2aa045eddb1f14018
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.