Lucene search

[email protected]NVD:CVE-2022-24741

HistoryMar 09, 2022 - 10:15 p.m.

CVE-2022-24741

2022-03-0922:15:09

CWE-400

CWE-770

[email protected]

web.nvd.nist.gov

nextcloud

server

vulnerability

file upload

denial of service

memory allocation

cpu

upgrade

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

64.5%

JSON

Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade should disable preview generation with the 'enable_previews' config flag.

Affected configurations

Nvd

Node

nextcloudnextcloud_serverRange21.0.0–21.0.8

nextcloudnextcloud_serverRange22.0.0–22.2.4

nextcloudnextcloud_serverMatch23.0.0

VendorProductVersionCPE
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
nextcloudnextcloud_server23.0.0cpe:2.3:a:nextcloud:nextcloud_server:23.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	nextcloud_server	*	cpe:2.3:a:nextcloud:nextcloud_server::::::::
nextcloud	nextcloud_server	23.0.0	cpe:2.3:a:nextcloud:nextcloud_server:23.0.0:::::::*