CVE-2023-39960
Nextcloud Server has improper restriction of excessive authentication attempts on WebDAV endpoint
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available.
Nextcloud Server proporciona almacenamiento de datos para Nextcloud, una plataforma en la nube de código abierto. En Nextcloud Server a partir de la versión 25.0.0 y anteriores a las 25.09 y 26.04; así como Nextcloud Enterprise Server a partir de la versión 22.0.0 y anteriores a las 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9 y 26.0.4; La falta de protección permite a un atacante forzar contraseñas de fuerza bruta en la API WebDAV. Nextcloud Server versiones 25.0.9 y 26.0.4 y Nextcloud Enterprise Server versiones 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9 y 26.0.4 contienen parches para este problema. No se conocen workarounds disponibles.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-08-07 CVE Reserved
- 2023-10-13 CVE Published
- 2024-09-12 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-307: Improper Restriction of Excessive Authentication Attempts
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://hackerone.com/reports/1924212 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/nextcloud/server/pull/38046 | 2023-10-18 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9 | 2023-10-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 22.0.0 < 22.2.10.14 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 22.0.0 < 22.2.10.14" | enterprise |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 23.0.0 < 23.0.12.9 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 23.0.0 < 23.0.12.9" | enterprise |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 24.0.0 < 24.0.12.5 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 24.0.0 < 24.0.12.5" | enterprise |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 25.0.0 < 25.0.9 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 25.0.0 < 25.0.9" | - |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 25.0.0 < 25.0.9 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 25.0.0 < 25.0.9" | enterprise |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 26.0.0 < 26.0.4 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 26.0.0 < 26.0.4" | - |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 26.0.0 < 26.0.4 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 26.0.0 < 26.0.4" | enterprise |
Affected
| ||||||