Bug 2092758 (CVE-2022-29243)
| Summary: | CVE-2022-29243 nextcloud: unbounded app password length can lead to DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ce, james.hogarth |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nextcloud 22.2.7, nextcloud 23.0.4 | Doc Type: | --- |
| Doc Text: |
A flaw was found in nextcloud server where missing input size validation of new session names allows users to create app passwords with long names which are then loaded into memory on usage, resulting in impacted performance, and allowing an attacker to perform a denial of service attack.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-06-02 10:42:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2092759, 2092760 | ||
| Bug Blocks: | |||
|
Description
TEJ RATHI
2022-06-02 07:57:46 UTC
Created nextcloud tracking bugs for this issue: Affects: epel-all [bug 2092760] Affects: fedora-all [bug 2092759] This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |