GitHub_MCVELIST:CVE-2022-31118CVE-2022-31118 Missing brute force protection on cloud federation sharing in Nextcloud Server
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
5.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
26.4%
Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (a-zA-Z0-9 ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in index.php/settings/admin/sharing.
CNA Affected
[
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "< 22.2.9"
},
{
"status": "affected",
"version": ">= 23.0.0, < 23.0.6"
},
{
"status": "affected",
"version": ">= 24.0.0, < 24.0.2"
}
]
}
]Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
5.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
26.4%