CVE-2022-41968

EPSS 0.29%
Veröffentlicht 01.12.2022 21:15:19
Zuletzt bearbeitet 21.11.2024 07:24:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server's calendar name length not validated before writing to database

Calendar name length not validated before writing to database

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for the issue. No known workarounds are available.

Mögliche Gegenmaßnahme

Server: No workaround available

Enterprise Server: No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 4 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server Version >= 23.0.0 < 23.0.10

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.10

Nextcloud ≫ Nextcloud Server Version >= 24.0.0 < 24.0.5

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 0.0.0, < 23.0.10

Version >= 24.0.0, < 24.0.5

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 0.0.0, < 23.0.10

Version >= 24.0.0, < 24.0.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.522

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
security-advisories@github.com	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m92j-xxc8-hq3v

Third Party Advisory

https://github.com/nextcloud/server/pull/33139

Patch

Third Party Advisory

https://hackerone.com/reports/1596148

Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m92j-xxc8-hq3v

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-41968

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-41968

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-41968

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-41968