Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resources to brute force. None the less it is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. There are no known workarounds for this vulnerability. https://github.com/nextcloud/server/pull/36489 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v243-x6jc-42mp https://github.com/nextcloud/server/pull/36489/commits/704eb3aa6cecc0a646f5cca4290b595f493f9ed3
Created nextcloud tracking bugs for this issue: Affects: fedora-all [bug 2187918] Created nextcloud:23/nextcloud tracking bugs for this issue: Affects: epel-all [bug 2187919] Affects: fedora-all [bug 2187922] Created nextcloud:24/nextcloud tracking bugs for this issue: Affects: epel-all [bug 2187920] Affects: fedora-all [bug 2187923] Created nextcloud:nextcloud-18/nextcloud tracking bugs for this issue: Affects: fedora-all [bug 2187924] Created nextcloud:nextcloud-19/nextcloud tracking bugs for this issue: Affects: fedora-all [bug 2187925] Created nextcloud:nextcloud-21/nextcloud tracking bugs for this issue: Affects: fedora-all [bug 2187926] Created nextcloud:nextcloud-22/nextcloud tracking bugs for this issue: Affects: epel-all [bug 2187921] Affects: fedora-all [bug 2187927] Created nextcloud:nextcloud-stable/nextcloud tracking bugs for this issue: Affects: fedora-all [bug 2187928]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.