CVE-2023-25161 Nextcloud Server's missing rate limiting on password reset functionality allows sending lots of emails

2023-02-1320:22:32

CWE-284

GitHub_M

www.cve.org

nextcloud

server

password reset

rate limiting

security vulnerability

upgrade

patch

nextcloud enterprise server

service slowdown

storage overflow

cost impact

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

42.6%

JSON

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": "= 25.0.0",
        "status": "affected"
      },
      {
        "version": ">= 24.0.0, < 24.0.8",
        "status": "affected"
      },
      {
        "version": "< 23.0.2",
        "status": "affected"
      }
    ]
  }
]