CVE-2022-41969

2022-12-0121:15:19

CWE-521

CWE-400

[email protected]

web.nvd.nist.gov

nextcloud server

password length limit

administrator

dos attack

CVSS3

2.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

39.7%

JSON

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don’t create user accounts with long passwords.

Affected configurations

Nvd

Node

nextcloudnextcloud_serverRange23.0.0–23.0.11

nextcloudnextcloud_serverRange23.0.0–23.0.11enterprise

nextcloudnextcloud_serverRange24.0.0–24.0.7

nextcloudnextcloud_serverRange24.0.0–24.0.7enterprise

VendorProductVersionCPE
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*

Vendor	Product	Version	CPE
nextcloud	nextcloud_server	*	cpe:2.3:a:nextcloud:nextcloud_server::::::::
nextcloud	nextcloud_server	*	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*