CVE-2022-41969

2022-12-0121:15:19

CWE-400

CWE-521

[email protected]

web.nvd.nist.gov

nextcloud

server

dos attack

user accounts

long passwords

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

3.9 Low

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.8%

JSON

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don’t create user accounts with long passwords.

Affected configurations

Vulners

NVD

Node

nextcloudnextcloudRange<23.0.11

nextcloudnextcloudRange24.0.0–24.0.7

VendorProductVersionCPE
nextcloudnextcloud*cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*:*
nextcloudnextcloud*cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	nextcloud	*	cpe:2.3:a:nextcloud:nextcloud::::::::
nextcloud	nextcloud	*	cpe:2.3:a:nextcloud:nextcloud::::::::

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": "< 23.0.11",
        "status": "affected"
      },
      {
        "version": ">= 24.0.0, < 24.0.7",
        "status": "affected"
      }
    ]
  }
]