Vulnerability Details CVE-2022-41969
Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create user accounts with long passwords.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.5%
CVSS Severity
CVSS v3 Score 2.4
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx
- https://github.com/nextcloud/server/pull/34500
- https://hackerone.com/reports/1727424
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j7wg-m4fx
- https://github.com/nextcloud/server/pull/34500
- https://hackerone.com/reports/1727424
Products affected by CVE-2022-41969
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.0
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.1
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.2
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.3
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.4
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.5
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.6
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.7
-
cpe:2.3:a:nextcloud:nextcloud_server:23.0.9
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.0
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.1
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.2
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.4
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.5
-
cpe:2.3:a:nextcloud:nextcloud_server:24.0.6