CVE-2023-45150

Exploit

EPSS 0.12%
Veröffentlicht 16.10.2023 20:15:15
Zuletzt bearbeitet 21.11.2024 08:26:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Inviting excessive long email addresses to a calendar event makes the Nextcloud server unresponsive

Inviting excessive long email addresses to a calendar event makes the server unresponsive

Nextcloud calendar is a calendar app for the Nextcloud server platform. Due to missing precondition checks the server was trying to validate strings of any length as email addresses even when megabytes of data were provided, eventually making the server busy and unresponsive. It is recommended that the Nextcloud Calendar app is upgraded to 4.4.4. The only workaround for users unable to upgrade is to disable the calendar app.

Mögliche Gegenmaßnahme

Calendar: * Disable app calendar

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Calendar Version >= 1.0 < 4.4.4

Weitere Schwachstelleninformationen

SystemNextcloud App

≫

Produkt Calendar

Version >= 1.0.0, < 4.4.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.305

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE-354 Improper Validation of Integrity Check Value

The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/nextcloud/calendar/pull/5358

Patch

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r936-8gwm-w452

Vendor Advisory

https://hackerone.com/reports/2058337

Exploit

Issue Tracking

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r936-8gwm-w452

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-45150

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-45150

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-45150

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-45150