High memory usage for generating preview of broken image

Description

Impact

An attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU.

Patches

It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1.

Workarounds

Disable preview generation with the 'enable_previews' config flag.

References

• HackerOne
• Pull Request

For more information

If you have any questions or comments about this advisory:

• Create a post in nextcloud/security-advisories
• Customers: Open a support ticket at support.nextcloud.com