7.5

CVE-2023-28847

Exploit

EPSS 0.26%
Veröffentlicht 25.04.2023 17:15:08
Zuletzt bearbeitet 21.11.2024 07:56:08
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server missing brute force protection for passwords of password protected share links

Missing brute force protection for passwords of password protected share links

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available.

Mögliche Gegenmaßnahme

Server: No workaround available

Enterprise Server: No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 5 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.12.6

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 24.0.0 < 24.0.11

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.11

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 25.0.0 < 25.0.5

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 24.0.0, < 24.0.11

Version >= 25.0.0, < 25.0.5

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 23.0.0, < 23.0.12.6

Version >= 24.0.0, < 24.0.11

Version >= 25.0.0, < 25.0.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.493

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	3.1	1.6	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w

Vendor Advisory

https://github.com/nextcloud/server/pull/35057

Patch

Issue Tracking

https://hackerone.com/reports/1894653

Third Party Advisory

Exploit

Issue Tracking

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-28847

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28847

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28847

EUVD