CVE-2022-24741 High memory usage in Nextcloud server

2022-03-0921:30:13

CWE-400

GitHub_M

www.cve.org

nextcloud

open source

denial of service

memory allocation

cpu

upgrade

disable preview generation

config flag

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

AI Score

6.8

Confidence

High

EPSS

0.002

Percentile

64.5%

JSON

Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade should disable preview generation with the 'enable_previews' config flag.

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 21.0.8"
      },
      {
        "status": "affected",
        "version": ">= 22.0.0, < 22.2.4"
      },
      {
        "status": "affected",
        "version": ">= 23.0.0, < 23.0.1"
      }
    ]
  }
]