Bug 2092758 (CVE-2022-29243)

Summary: CVE-2022-29243 nextcloud: unbounded app password length can lead to DoS
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ce, james.hogarth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud 22.2.7, nextcloud 23.0.4 Doc Type: ---
Doc Text:
A flaw was found in nextcloud server where missing input size validation of new session names allows users to create app passwords with long names which are then loaded into memory on usage, resulting in impacted performance, and allowing an attacker to perform a denial of service attack.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-02 10:42:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2092759, 2092760    
Bug Blocks:    

Description TEJ RATHI 2022-06-02 07:57:46 UTC
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.

https://github.com/nextcloud/server/pull/31658
https://hackerone.com/reports/1153138
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w

Comment 1 TEJ RATHI 2022-06-02 07:58:10 UTC
Created nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2092760]
Affects: fedora-all [bug 2092759]

Comment 2 Product Security DevOps Team 2022-06-02 10:42:52 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.