Vulnerability Details CVE-2022-41968
Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for the issue. No known workarounds are available.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 22.5%
CVSS Severity
CVSS v3 Score 3.5
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m92j-xxc8-hq3v
- https://github.com/nextcloud/server/pull/33139
- https://hackerone.com/reports/1596148
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m92j-xxc8-hq3v
- https://github.com/nextcloud/server/pull/33139
- https://hackerone.com/reports/1596148
Products affected by CVE-2022-41968
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.0
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.1
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.2
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.3
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.4
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.5
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.6
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.7
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.9
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.0
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.1
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.2
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.4