CVE-2023-28835

EPSS 0.31%
Veröffentlicht 30.03.2023 19:15:07
Zuletzt bearbeitet 21.11.2024 07:56:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Insecure randomness for default password in nextcloud

Insecure randomness for default password in file sharing when password policy app is disabled

Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade.

Mögliche Gegenmaßnahme

Server: * Enable password policy app * Overwrite the default password when creating a share

Enterprise Server: * Enable password policy app * Overwrite the default password when creating a share

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 5 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.14

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 24.0.0 < 24.0.10

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.10

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 25.0.0 < 25.0.4

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.4

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 24.0.0, < 24.0.10

Version >= 25.0.0, < 25.0.4

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 23.0.0, < 23.0.14

Version >= 24.0.0, < 24.0.10

Version >= 25.0.0, < 25.0.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.54

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9

Vendor Advisory

https://github.com/nextcloud/server/pull/36093

Patch

Issue Tracking

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-28835

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28835

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28835

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-28835