CVE-2022-35931

Nextcloud Password Policy's generated passwords are not fully validated by HIBPValidator

Severity Score

2.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available.

Nextcloud Password Policy es una aplicación que permite al administrador del servidor Nextcloud definir determinadas reglas para las contraseñas. En versiones anteriores a 22.2.10, 23.0.7 y 24.0.3, el generador de contraseñas aleatorias podía, en casos muy raros, generar contraseñas comunes que el propio comprobador bloqueaba. Actualice Nextcloud Server a versión 22.2.10, 23.0.7 o 24.0.3 para recibir un parche para el problema en la política de contraseñas. No se presentan mitigaciones conocidas disponibles.

*Credits: N/A

CVSS Scores

NISTv3.1 2.7

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-09-06 CVE Published
2024-03-29 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-261: Weak Encoding for Password
CWE-326: Inadequate Encryption Strength

CAPEC

References (2)

URL	Tag	Source
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c7mw-9q4r-8qwr	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/nextcloud/password_policy/pull/363	2022-09-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nextcloud Search vendor "Nextcloud"		Password Policy Search vendor "Nextcloud" for product "Password Policy"				< 22.2.10 Search vendor "Nextcloud" for product "Password Policy" and version " < 22.2.10"		-		Affected
Nextcloud Search vendor "Nextcloud"		Password Policy Search vendor "Nextcloud" for product "Password Policy"				>= 23.0.0 < 23.0.7 Search vendor "Nextcloud" for product "Password Policy" and version " >= 23.0.0 < 23.0.7"		-		Affected
Nextcloud Search vendor "Nextcloud"		Password Policy Search vendor "Nextcloud" for product "Password Policy"				>= 24.0.0 < 24.0.3 Search vendor "Nextcloud" for product "Password Policy" and version " >= 24.0.0 < 24.0.3"		-		Affected