CVE-2023-32320

CWE-3072 documents2 sources
Severity
7.5HIGH
EPSS
0.5%
top 33.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedJun 22

Description

Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel to bruteforce protected details instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and 26.0.2 and Nextcloud Enterprise S

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.8

Affected Packages2 packages

NVDnextcloud/nextcloud_server21.0.021.0.9.12+5
CVEListV5nextcloud/security-advisories8 versions+7

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Server's brute force protection allows someone to send more requests than intended2023-06-22
CVE-2023-32320 (HIGH CVSS 7.5) | Nextcloud Server is a data storage | cvebase.io