Lucene search

GoogleOSV:CVE-2023-25161

HistoryFeb 13, 2023 - 9:15 p.m.

CVE-2023-25161

2023-02-1321:15:14

Google

osv.dev

nextcloud

server

enterprise

versions

rate limiting

password reset

upgrade

patch

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

Confidence

High

EPSS

0.001

Percentile

42.6%

JSON

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-596q-xr2f

github.com/nextcloud/server/pull/34632

hackerone.com/reports/1691195

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

Confidence

High

EPSS

0.001

Percentile

42.6%

JSON

Related for OSV:CVE-2023-25161