8.1
CVE-2023-32319
- EPSS 0.25%
- Veröffentlicht 26.05.2023 23:15:17
- Zuletzt bearbeitet 21.11.2024 08:03:06
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Basic auth header on WebDAV requests is not brute-force protected in Nextcloud
Basic auth header on WebDAV requests is not brute-force protected
Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Mögliche Gegenmaßnahme
Server: * No workaround available
Enterprise Server: * No workaround available
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nextcloud ≫ Nextcloud Server Version >= 24.0.0 < 24.0.11
Nextcloud ≫ Nextcloud Server Version >= 25.0.0 < 25.0.5
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemNextcloud
≫
Produkt
Server
Version
>= 24.0.0, < 24.0.11
Version
>= 25.0.0, < 25.0.5
Version
>= 26.0.0, < 26.0.0
SystemNextcloud
≫
Produkt
Enterprise Server
Version
>= 23.0.0, < 23.0.12.6
Version
>= 24.0.0, < 24.0.12
Version
>= 25.0.0, < 25.0.5
Version
>= 26.0.0, < 26.0.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.483 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
CWE-307 Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.