Nextcloud Server password reset endpoint is not brute force protected
CVE-2023-35172

8.7HIGH

Key Information:

Vendor: Nextcloud
Status: Security-advisories
Vendor: CVE Published:; 23 June 2023

🔔 Create Nextcloud Vulnerability Alert

What is CVE-2023-35172?

Certain versions of Nextcloud Server and Nextcloud Enterprise Server are vulnerable to a brute-force attack on the password reset links. This issue affects versions ranging from 25.0.0 to 25.0.7 and 26.0.0 to 26.0.2 for Nextcloud Server, as well as various versions for Nextcloud Enterprise Server. An attacker could exploit this vulnerability to reset user passwords via the brute-force method. Fortunately, patches addressing this issue have been implemented in the latest versions.

Affected Version(s)

security-advisories Nextcloud Server >= 25.0.0, < 25.0.7 < Nextcloud Server 25.0.0, 25.0.7

security-advisories Nextcloud Server >= 26.0.0, < 26.0.2 < Nextcloud Server 26.0.0, 26.0.2

security-advisories Nextcloud Enterprise Server >= 25.0.0, < 25.0.7 < Nextcloud Enterprise Server 25.0.0, 25.0.7

References

https://github.com/nextcloud/security-advisories/security...

x_refsource_CONFIRM

https://github.com/nextcloud/server/pull/38267

x_refsource_MISC

https://hackerone.com/reports/1987062

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2023
Vulnerability Reserved
Jun 14, 2023

.