CVE-2022-39346 — Improper Input Validation in Security-advisories

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption2 documents2 sources

Severity

6.5MEDIUMNVD

CNA3.5

EPSS

1.6%

top 18.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Enterprise Server Nextcloud Server +1 more

Timeline

PublishedNov 25

Description

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDnextcloud/nextcloud_server23.0.0 — 23.0.7+2

▶NVDnextcloud/nextcloud_enterprise_server23.0.0 — 23.0.7+2

▶CVEListV5nextcloud/security-advisories< 22.2.10+2

Also affects: Fedora 35, 36, 37

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Missing length validation of user displayname in nextcloud server↗2022-11-25

▶