CVE-2022-31118

Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq	Third Party Advisory
https://github.com/nextcloud/server/pull/32843/commits/6eb692da7fe73c899cb6a8d2aa045eddb1f14018	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server::::::::

History

No history.

Information

Published : 2022-08-04 17:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-31118

Mitre link : CVE-2022-31118

CVE.ORG link : CVE-2022-31118

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2022-31118", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2022-08-04T17:15:08.440", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/server/pull/32843/commits/6eb692da7fe73c899cb6a8d2aa045eddb1f14018", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`."}, {"lang": "es", "value": "El servidor Nextcloud es una soluci\u00f3n de nube personal de c\u00f3digo abierto. En las versiones afectadas un atacante podr\u00eda hacer fuerza bruta para encontrar si est\u00e1 siendo usando el uso compartido federado y potencialmente intentar forzar los tokens de acceso para los recursos compartidos federados (`a-zA-Z0-9\" ^ 15). Es recomendado actualizar el servidor Nextcloud a versiones 22.2.9, 23.0.6 o 24.0.2. Los usuarios que no puedan actualizar pueden deshabilitar la compartici\u00f3n federada por medio de la configuraci\u00f3n de compartici\u00f3n del administrador en \"index.php/settings/admin/sharing\""}], "lastModified": "2022-08-10T15:31:24.473", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "596A101A-C02E-4B7A-A281-8B5E680157F3", "versionEndExcluding": "22.2.9"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D211427-568D-4955-AD5E-A5DDD3AAA988", "versionEndExcluding": "23.0.6", "versionStartIncluding": "23.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E86D31A7-ED06-426E-B4BD-3A9F23F49D00", "versionEndExcluding": "24.0.2", "versionStartIncluding": "24.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}