Lucene search

NextcloudGHSA-36G6-WJX2-333X

HistoryMar 21, 2023 - 1:37 p.m.

Missing brute force protection on password confirmation modal

2023-03-2113:37:29

github.com

brute force protection

password confirmation

nextcloud

upgrade

security advisory

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Description

Impact

When an attacker gets access to an already logged in user session they can then brute force the password on the confirmation endpoint.

Patches

It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4
It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.10 or 22.2.10.10 or 23.0.12.5 or 24.0.10 or 25.0.4

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

github.com/nextcloud/server/pull/36489

hackerone.com/reports/1842114

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Related for GHSA-36G6-WJX2-333X