CVE-2022-35931

EPSS 0.05%
Published 06.09.2022 18:15:15
Last modified 21.11.2024 07:11:59
Source security-advisories@github.com
Teams watchlist Login
Open Login

Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available.

Affected products Warnungen 0 Metrics 3 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Nextcloud ≫ Password Policy Version < 22.2.10

Nextcloud ≫ Password Policy Version >= 23.0.0 < 23.0.7

Nextcloud ≫ Password Policy Version >= 24.0.0 < 24.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.171

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	2.7	1.2	1.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	2.7	1.2	1.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CWE-261 Weak Encoding for Password

Obscuring a password with a trivial encoding does not protect the password.

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://github.com/nextcloud/password_policy/pull/363

Patch

Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c7mw-9q4r-8qwr

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-35931

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-35931

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-35931

EUVD