Lucene search

NextcloudGHSA-M92J-XXC8-HQ3V

HistoryDec 01, 2022 - 9:31 a.m.

Calendar name length not validated before writing to database

2022-12-0109:31:44

github.com

database security

data validation

nextcloud upgrade

hackerone

public ticket

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

43.1%

JSON

Description

Impact

An attacker can send unnecessary amount of data against the database

Patches

It is recommended that the Nextcloud Server is upgraded to 23.0.10 or 24.0.5
It is recommended that the Nextcloud Enterprise Server is upgraded to 23.0.10 or 24.0.5

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

github.com/nextcloud/server/pull/33139

hackerone.com/reports/1596148

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

43.1%

JSON

Related for GHSA-M92J-XXC8-HQ3V