CVE-2023-45150Uncontrolled Resource Consumption in Calendar

CWE-400Uncontrolled Resource ConsumptionCWE-354Improper Validation of Integrity Check Value2 documents2 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 69.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud CalendarNextcloud Security-advisories
Timeline
PublishedOct 16

Description

Nextcloud calendar is a calendar app for the Nextcloud server platform. Due to missing precondition checks the server was trying to validate strings of any length as email addresses even when megabytes of data were provided, eventually making the server busy and unresponsive. It is recommended that the Nextcloud Calendar app is upgraded to 4.4.4. The only workaround for users unable to upgrade is to disable the calendar app.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/calendar1.04.4.4
CVEListV5nextcloud/security-advisories>= 1.0.0, < 4.4.4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Inviting excessive long email addresses to a calendar event makes the Nextcloud server unresponsive2023-10-16
CVE-2023-45150 — Uncontrolled Resource Consumption | cvebase