Nextcloud Server's brute force protection allows someone to send more requests than intended
CVE-2023-32320

8.7HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
22 June 2023

What is CVE-2023-32320?

Nextcloud Server, a self-hosted productivity platform, contains a vulnerability that allows multiple parallel requests to be executed simultaneously. This flaw occurs when the number of faulty requests surpasses the set limit by the time a response is returned to the client. Consequently, an attacker can exploit this by sending numerous requests to the server, thereby circumventing the default limit of 8 attempts. Versions 25.0.7, 26.0.2 of Nextcloud Server and 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2 of the Nextcloud Enterprise Server have received patches to mitigate this issue.

Affected Version(s)

security-advisories Nextcloud Server >= 25.0.0, < 25.0.7 < Nextcloud Server 25.0.0, 25.0.7

security-advisories Nextcloud Server >= 26.0.0, < 26.0.2 < Nextcloud Server 26.0.0, 26.0.2

security-advisories Nextcloud Enterprise Server >= 21.0.0, < 21.0.9.12 < Nextcloud Enterprise Server 21.0.0, 21.0.9.12

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/38274
x_refsource_MISC
https://hackerone.com/reports/1918525
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.