Bug 2179751 (CVE-2023-25161)

Summary: CVE-2023-25161 nextcloud-server: Missing rate limiting on password reset functionality allows sending lots of emails
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud 25.0.1, nextcloud 24.0.8, nextcloud 23.0.12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-20 09:30:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2179767, 2179769, 2179770, 2179771, 2179772, 2179773, 2179774, 2179775, 2179776, 2179777, 2179778    
Bug Blocks:    

Description TEJ RATHI 2023-03-20 05:43:28 UTC 
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.

https://github.com/nextcloud/server/pull/34632
https://hackerone.com/reports/1691195
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-596q-xr2f
Comment 1 TEJ RATHI 2023-03-20 05:49:37 UTC 
Created nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2179767]


Created nextcloud:23/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2179769]
Affects: fedora-all [bug 2179772]


Created nextcloud:24/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2179770]
Affects: fedora-all [bug 2179773]


Created nextcloud:nextcloud-18/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2179774]


Created nextcloud:nextcloud-19/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2179775]


Created nextcloud:nextcloud-21/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2179776]


Created nextcloud:nextcloud-22/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2179771]
Affects: fedora-all [bug 2179777]


Created nextcloud:nextcloud-stable/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2179778]
Comment 2 Product Security DevOps Team 2023-03-20 09:30:45 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.