Missing brute force protection on cloud federation sharing

Description

Impact

An attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (a-zA-Z0-9 ^ 15).

Patches

It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2.

Workarounds

As a workaround federated sharing can be disabled in the Admin Sharing settings: index.php/settings/admin/sharing

References

• HackerOne
• PullRequest

For more information

If you have any questions or comments about this advisory:

• Create a post in nextcloud/security-advisories
• Customers: Open a support ticket at support.nextcloud.com