CVE-2023-35172

EPSS 0.62%
Veröffentlicht 23.06.2023 21:15:09
Zuletzt bearbeitet 21.11.2024 08:08:05
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server password reset endpoint is not brute force protected

Password reset endpoint is not brute force protected

NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known workarounds are available.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 8 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 21.0.0 < 21.0.9.12

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 22.0.0 < 22.2.10.12

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.12.7

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.12.2

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 25.0.0 < 25.0.7

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.7

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 26.0.0 < 26.0.2

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 25.0.0, < 25.0.7

Version >= 26.0.0, < 26.0.2

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 21.0.0, < 21.0.9.12

Version >= 22.0.0, < 22.2.10.12

Version >= 23.0.0, < 23.0.12.7

Version >= 24.0.0, < 24.0.12.2

Version >= 25.0.0, < 25.0.7

Version >= 26.0.0, < 26.0.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.62%	0.698

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	8.7	2.2	5.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6

Vendor Advisory

https://github.com/nextcloud/server/pull/38267

Issue Tracking

https://hackerone.com/reports/1987062

Permissions Required

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-35172

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-35172

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-35172

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-35172