9.8

CVE-2023-49792

EPSS 0.41%
Veröffentlicht 22.12.2023 17:15:08
Zuletzt bearbeitet 21.11.2024 08:33:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Bruteforce protection can be bypassed with misconfigured proxy

Bruteforce protection can be bypassed with misconfigured proxy

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 7 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.12.13

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.12.9

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.13.4

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 26.0.0 < 26.0.9

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.9

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 27.0.0 < 27.1.4

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 27.0.0 < 27.1.4

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 26.0.0, < 26.0.9

Version >= 27.0.0, < 27.1.4

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 23.0.0, < 23.0.12.13

Version >= 24.0.0, < 24.0.12.9

Version >= 25.0.0, < 25.0.13.4

Version >= 26.0.0, < 26.0.9

Version >= 27.0.0, < 27.1.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.41%	0.608

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5j2p-q736-hw98

Vendor Advisory

https://github.com/nextcloud/server/pull/41526

Patch

https://hackerone.com/reports/2230915

Permissions Required

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5j2p-q736-hw98

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-49792

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-49792

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-49792

EUVD