CVE-2022-31118
Missing brute force protection on cloud federation sharing in Nextcloud Server
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`.
El servidor Nextcloud es una solución de nube personal de código abierto. En las versiones afectadas un atacante podría hacer fuerza bruta para encontrar si está siendo usando el uso compartido federado y potencialmente intentar forzar los tokens de acceso para los recursos compartidos federados (`a-zA-Z0-9" ^ 15). Es recomendado actualizar el servidor Nextcloud a versiones 22.2.9, 23.0.6 o 24.0.2. Los usuarios que no puedan actualizar pueden deshabilitar la compartición federada por medio de la configuración de compartición del administrador en "index.php/settings/admin/sharing"
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-18 CVE Reserved
- 2022-08-04 CVE Published
- 2024-02-25 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-307: Improper Restriction of Excessive Authentication Attempts
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/server/pull/32843/commits/6eb692da7fe73c899cb6a8d2aa045eddb1f14018 | 2022-08-10 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | < 22.2.9 Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 22.2.9" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 23.0.0 < 23.0.6 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 23.0.0 < 23.0.6" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 24.0.0 < 24.0.2 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 24.0.0 < 24.0.2" | - |
Affected
|