Lucene search

NextcloudGHSA-53Q2-CM29-7J83

HistoryFeb 24, 2023 - 7:22 a.m.

No password length restriction in reset password endpoint

2023-02-2407:22:47

github.com

password reset

security impact

nextcloud server

upgrade

hackerone

pullrequest

support ticket

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

45.3%

JSON

Description

Impact

A user can configure a very long password consuming more resources on password validation then desired.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.3
It is recommended that the Nextcloud Enterprise Server is upgraded to 25.0.3

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

CPENameOperatorVersion
serverlt25.0.0

CPE	Name	Operator	Version
	server	lt	25.0.0

References

github.com/nextcloud/server/pull/35965

hackerone.com/reports/1820864

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

45.3%

JSON

Related for GHSA-53Q2-CM29-7J83