CVE-2022-41969 - OpenCVE

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create user accounts with long passwords.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nextcloud	Nextcloud Server

Configuration 1 [-]

OR	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*

No data.

References

Link	Providers
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx
https://github.com/nextcloud/server/pull/34500
https://hackerone.com/reports/1727424

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-01T20:47:50.466Z

Updated: 2024-08-03T12:56:39.151Z

Reserved: 2022-09-30T16:38:28.956Z

Link: CVE-2022-41969

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-12-01T21:15:19.660

Modified: 2022-12-05T19:32:20.867

Link: CVE-2022-41969

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-41969", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74", "dateReserved": "2022-09-30T16:38:28.956Z", "datePublished": "2022-12-01T20:47:50.466Z", "dateUpdated": "2024-08-03T12:56:39.151Z"}, "containers": {"cna": {"title": "Nextcloud Server has no password length limit when creating a user as an administrator", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx"}, {"name": "https://github.com/nextcloud/server/pull/34500", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/server/pull/34500"}, {"name": "https://hackerone.com/reports/1727424", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1727424"}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": "< 23.0.11", "status": "affected"}, {"version": ">= 24.0.0, < 24.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-01T20:47:50.466Z"}, "descriptions": [{"lang": "en", "value": "Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create user accounts with long passwords."}], "source": {"advisory": "GHSA-4gm7-j7wg-m4fx", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:39.151Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx"}, {"name": "https://github.com/nextcloud/server/pull/34500", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextcloud/server/pull/34500"}, {"name": "https://hackerone.com/reports/1727424", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1727424"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B51980B-7359-4A35-9DCD-4C80FDF9A1D8", "versionEndExcluding": "23.0.11", "versionStartIncluding": "23.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "53D85FB5-BF48-4044-AC9F-5791706A8924", "versionEndExcluding": "23.0.11", "versionStartIncluding": "23.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF8B844D-C28E-4650-AFCE-127A2559E8F4", "versionEndExcluding": "24.0.7", "versionStartIncluding": "24.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "8251B5E2-329E-4B11-A07A-33EAC251B98C", "versionEndExcluding": "24.0.7", "versionStartIncluding": "24.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create user accounts with long passwords."}, {"lang": "es", "value": "Nextcloud Server es un servidor en la nube personal de c\u00f3digo abierto. Antes de las versiones 23.0.11, 24.0.7 y 25.0.0, no hab\u00eda l\u00edmite de longitud de contrase\u00f1a al crear un usuario como administrador. Un administrador puede provocar un ataque DoS limitado contra su propio servidor. Las versiones 23.0.11, 24.0.7 y 25.0.0 contienen una soluci\u00f3n para el problema. Como workaround, no cree cuentas de usuario con contrase\u00f1as largas."}], "id": "CVE-2022-41969", "lastModified": "2022-12-05T19:32:20.867", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-12-01T21:15:19.660", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/server/pull/34500"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/1727424"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}