Lucene search

NextcloudGHSA-2HRC-5FGP-C9C9

HistoryOct 13, 2023 - 8:09 a.m.

Improper restriction of excessive authentication attempts on WebDAV endpoint

2023-10-1308:09:54

github.com

webdav

authentication

brute force

nextcloud

vulnerability

upgrade

patch

protection

hackerone

pullrequest

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

31.2%

JSON

Description

Impact

Missing protection allows an attacker to brute force passwords on the WebDAV API.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.9 or 26.0.4
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9 or 26.0.4

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at portal.nextcloud.com

References

github.com/nextcloud/server/pull/38046

hackerone.com/reports/1924212

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

31.2%

JSON

Related for GHSA-2HRC-5FGP-C9C9