CVE-2023-28835

CWE-3382 documents2 sources
Severity
7.5HIGH
EPSS
0.3%
top 45.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Nextcloud Server
Timeline
PublishedMar 30

Description

Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server23.0.023.0.14+2
CVEListV5nextcloud/security-advisories< 24.0.10+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Insecure randomness for default password in nextcloud2023-03-30
CVE-2023-28835 (HIGH CVSS 7.5) | Nextcloud server is an open source | cvebase.io