CVE-2022-39330 - OpenCVE

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server versions 22.2.10, 23.0.10, and 24.0.6 contain patches for this issue. As a workaround, disable the Circles app.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nextcloud	Nextcloud Enterprise Server Nextcloud Server

Configuration 1 [-]

OR	cpe:2.3:a:nextcloud:nextcloud_enterprise_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_enterprise_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_enterprise_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server::::::::

No data.

References

Link	Providers
https://github.com/nextcloud/circles/pull/1147
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wxx7-w5p4-7x4c
https://hackerone.com/reports/1688199

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-27T00:00:00

Updated: 2024-08-03T12:00:44.115Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39330

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-10-27T14:15:12.207

Modified: 2022-11-01T13:49:21.887

Link: CVE-2022-39330

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39330", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:44.115Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-10-27T00:00:00"}, "containers": {"cna": {"title": "Database resource exhaustion for logged-in users via sharee recommendations with circles", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-27T00:00:00"}, "descriptions": [{"lang": "en", "value": "Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server versions 22.2.10, 23.0.10, and 24.0.6 contain patches for this issue. As a workaround, disable the Circles app."}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": ">= 23.0.0, < 23.0.9", "status": "affected"}, {"version": ">= 24.0.0, < 24.0.5", "status": "affected"}, {"version": "< 22.2.10", "status": "affected"}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wxx7-w5p4-7x4c"}, {"url": "https://github.com/nextcloud/circles/pull/1147"}, {"url": "https://hackerone.com/reports/1688199"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "GHSA-wxx7-w5p4-7x4c", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:44.115Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wxx7-w5p4-7x4c", "tags": ["x_transferred"]}, {"url": "https://github.com/nextcloud/circles/pull/1147", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/1688199", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "26BA86CB-577A-40A2-8CB0-4E1E9ED7CE81", "versionEndExcluding": "22.2.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8FDED962-1E0C-4A3A-A7EC-F7F4C13359A7", "versionEndExcluding": "23.0.10", "versionStartIncluding": "23.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "5240C7BA-7640-415D-85C2-923FE3F5A8DA", "versionEndExcluding": "24.0.6", "versionStartIncluding": "24.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFEEE179-128F-47EA-9BB7-363DBCC58206", "versionEndExcluding": "23.0.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "81DA9FFF-A2A4-4EAD-8A97-B2692C2DD2A1", "versionEndExcluding": "24.0.6", "versionStartIncluding": "24.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server versions 22.2.10, 23.0.10, and 24.0.6 contain patches for this issue. As a workaround, disable the Circles app."}, {"lang": "es", "value": "Nextcloud Server es el software de servidor de archivos para Nextcloud, una plataforma de productividad autohospedada. Nextcloud Server anterior a las versiones 23.0.10 y 24.0.6 y Nextcloud Enterprise Server anterior a las versiones 22.2.10, 23.0.10 y 24.0.6 son vulnerables a que un atacante que haya iniciado sesi\u00f3n ralentice el sistema generando una gran cantidad de bases de datos/ carga de la CPU. Las versiones 23.0.10 y 24.0.6 de Nextcloud Server y las versiones 22.2.10, 23.0.10 y 24.0.6 de Nextcloud Enterprise Server contienen parches para este problema. Como workaround, desactive la aplicaci\u00f3n Circles."}], "id": "CVE-2022-39330", "lastModified": "2022-11-01T13:49:21.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-27T14:15:12.207", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/circles/pull/1147"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wxx7-w5p4-7x4c"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/1688199"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}