Nextcloud Server has improper restriction of excessive authentication attempts on WebDAV endpoint
CVE-2023-39960

7.5HIGH

Key Information:

Vendor

nextcloud
Status
security-advisories
Vendor
CVE Published:
13 October 2023

What is CVE-2023-39960?

Nextcloud Server, a widely used open-source cloud platform, is susceptible to brute force attacks via its WebDAV API. The vulnerability exists in versions starting from 25.0.0 up to 25.09 and 26.04, as well as in Nextcloud Enterprise Server versions from 22.0.0 up to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4, allowing attackers to attempt password brute-force techniques without sufficient protections in place. This opens a potential avenue for unauthorized access to users' sensitive information. Users are urged to upgrade their installations to the patched versions to mitigate this risk.

Affected Version(s)

security-advisories >= 22.0.0, < 22.2.10.14 < 22.0.0, 22.2.10.14

security-advisories >= 23.0.0, < 23.0.12.9 < 23.0.0, 23.0.12.9

security-advisories >= 24.0.0, < 24.0.12.5 < 24.0.0, 24.0.12.5

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/38046
x_refsource_MISC
https://hackerone.com/reports/1924212
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.