| Vulnerability Name: | CVE-2022-31118 (CCN-232814) | ||||||||||||
| Assigned: | 2022-08-04 | ||||||||||||
| Published: | 2022-08-04 | ||||||||||||
| Updated: | 2022-08-10 | ||||||||||||
| Summary: | Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`. | ||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P)
| ||||||||||||
| Vulnerability Type: | CWE-307 | ||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-31118 Source: XF Type: UNKNOWN nextcloud-cve202231118-info-disc(232814) Source: CCN Type: Nextcloud GIT Repository Missing brute force protection on cloud federation sharing Source: CONFIRM Type: Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq Source: MISC Type: Patch, Third Party Advisory https://github.com/nextcloud/server/pull/32843/commits/6eb692da7fe73c899cb6a8d2aa045eddb1f14018 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||