6.5

CVE-2022-24741

Exploit

High memory usage in Nextcloud server

High memory usage for generating preview of broken image

Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade should disable preview generation with the `'enable_previews'` config flag.
Mögliche Gegenmaßnahme
Server: Disable preview generation with the `'enable_previews'` config flag.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudNextcloud Server Version >= 21.0.0 < 21.0.8
NextcloudNextcloud Server Version >= 22.0.0 < 22.2.4
NextcloudNextcloud Server Version23.0.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud
Produkt Server
Version >= 0.0.0, < 21.0.8
Version >= 22.2.0, < 22.2.4
Version >= 23.0.0, < 23.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.58% 0.723
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:N/A:P
security-advisories@github.com 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

https://security.gentoo.org/glsa/202208-17
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf3h-xf4q-mh89
Third Party Advisory
https://github.com/nextcloud/server/pull/30291
Patch
Third Party Advisory
https://hackerone.com/reports/1261225
Third Party Advisory
Exploit
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf3h-xf4q-mh89
Third Party Advisory