2244110 – (CVE-2023-39960) CVE-2023-39960 nextcloud: WebDAV API vulnerable to brute force password attacks

Bug 2244110 (CVE-2023-39960) - CVE-2023-39960 nextcloud: WebDAV API vulnerable to brute force password attacks

Summary: CVE-2023-39960 nextcloud: WebDAV API vulnerable to brute force password attacks

Keywords:
Status:	NEW
Alias:	CVE-2023-39960
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2244111 2244112
Blocks:
TreeView+	depends on / blocked

Reported:	2023-10-13 20:13 UTC by Robb Gatica
Modified:	2024-07-24 08:27 UTC (History)
CC List:	0 users
Fixed In Version:	nextcloud 25.0.9, nextcloud 26.0.4, nextcloud 22.2.10.14, nextcloud 23.0.12.9, nextcloud 24.0.12.5, nextcloud 25.0.9, nextcloud 26.0.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2023-10-13 20:13:52 UTC

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available.

https://hackerone.com/reports/1924212
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9
https://github.com/nextcloud/server/pull/38046

Comment 1 Robb Gatica 2023-10-13 20:14:09 UTC

Created nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2244111]
Affects: fedora-all [bug 2244112]

Comment 2 Ivan Chavero 2023-10-13 21:19:37 UTC

Upgrading nextcloud to: 25.0.9 or 26.0.4 according to the nextcloud recommendation [1]






[1] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9

Comment 3 Ivan Chavero 2023-10-13 23:33:55 UTC

(In reply to Ivan Chavero from comment #2)
> Upgrading nextcloud to: 25.0.9 or 26.0.4 according to the nextcloud
> recommendation [1]
> 
> 
> 
> 
> 
> 
> [1]
> https://github.com/nextcloud/security-advisories/security/advisories/GHSA-
> 2hrc-5fgp-c9c9

My bad here, the nextcloud 27.0.2 package is already on koji. Creating the bodhi entries so it lands on the distro

Note You need to log in before you can comment on or make changes to this bug.