CVE-2022-31118

2022-08-0417:15:08

CWE-307

CWE-770

GitHub_M

web.nvd.nist.gov

nextcloud

server

vulnerability

cve-2022-31118

federated sharing

brute force

access token

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

AI Score

4.4

Confidence

High

EPSS

0.001

Percentile

26.2%

JSON

Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (a-zA-Z0-9 ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in index.php/settings/admin/sharing.

Affected configurations

Nvd

Vulners

Node

nextcloudnextcloud_serverRange<22.2.9

nextcloudnextcloud_serverRange23.0.0–23.0.6

nextcloudnextcloud_serverRange24.0.0–24.0.2

VendorProductVersionCPE
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	nextcloud_server	*	cpe:2.3:a:nextcloud:nextcloud_server::::::::

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 22.2.9"
      },
      {
        "status": "affected",
        "version": ">= 23.0.0, < 23.0.6"
      },
      {
        "status": "affected",
        "version": ">= 24.0.0, < 24.0.2"
      }
    ]
  }
]