2217313 – (CVE-2023-35172) CVE-2023-35172 NextCloud: Password reset endpoint is not brute force protected

Bug 2217313 (CVE-2023-35172) - CVE-2023-35172 NextCloud: Password reset endpoint is not brute force protected

Summary: CVE-2023-35172 NextCloud: Password reset endpoint is not brute force protected

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2023-35172
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2217314 2217315
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-26 04:43 UTC by Avinash Hanwate
Modified:	2023-06-26 11:28 UTC (History)
CC List:	0 users
Fixed In Version:	NextCloud 25.0.7, NextCloud 26.0.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-06-26 11:28:28 UTC
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-06-26 04:43:46 UTC

NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known workarounds are available.

https://github.com/nextcloud/server/pull/38267
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6
https://hackerone.com/reports/1987062

Comment 1 Avinash Hanwate 2023-06-26 04:44:09 UTC

Created nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2217315]
Affects: fedora-all [bug 2217314]

Comment 2 Product Security DevOps Team 2023-06-26 11:28:27 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.