Bug 2187916 (CVE-2023-25818)

Summary: CVE-2023-25818 nextcloud-server: missing brute force protection on password reset token
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud-server 24.0.10, nextcloud-server 25.0.4 Doc Type: ---
Doc Text:
A malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-19 11:36:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2187918, 2187919, 2187920, 2187921, 2187922, 2187923, 2187924, 2187925, 2187926, 2187927, 2187928    
Bug Blocks:    

Description TEJ RATHI 2023-04-19 06:24:16 UTC 
Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resources to brute force. None the less it is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. There are no known workarounds for this vulnerability.

https://github.com/nextcloud/server/pull/36489
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v243-x6jc-42mp
https://github.com/nextcloud/server/pull/36489/commits/704eb3aa6cecc0a646f5cca4290b595f493f9ed3
Comment 1 TEJ RATHI 2023-04-19 06:32:58 UTC 
Created nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187918]


Created nextcloud:23/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2187919]
Affects: fedora-all [bug 2187922]


Created nextcloud:24/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2187920]
Affects: fedora-all [bug 2187923]


Created nextcloud:nextcloud-18/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187924]


Created nextcloud:nextcloud-19/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187925]


Created nextcloud:nextcloud-21/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187926]


Created nextcloud:nextcloud-22/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2187921]
Affects: fedora-all [bug 2187927]


Created nextcloud:nextcloud-stable/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187928]
Comment 2 Product Security DevOps Team 2023-04-19 11:35:59 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.