CVE-2022-29243 Improper input-size validation on the user new session name in Nextcloud Server

2022-05-3116:15:14

CWE-20

CWE-400

GitHub_M

www.cve.org

cve-2022-29243

nextcloud server

input-size validation

user session

performance impact

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

47.3%

JSON

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 22.2.7"
      },
      {
        "status": "affected",
        "version": ">= 23.0.0, < 23.0.4"
      }
    ]
  }
]