CVE-2020-8228 - OpenCVE

A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Opensuse	Leap Backports Sle
Nextcloud	Preferred Providers

Configuration 1 [-]

cpe:2.3:a:nextcloud:preferred_providers:1.7.0:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:opensuse:backports_sle:15.0:sp1::::::
	cpe:2.3:a:opensuse:backports_sle:15.0:sp2::::::
	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:15.2:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html	Third Party Advisory
https://hackerone.com/reports/922470	Exploit Third Party Advisory
https://nextcloud.com/security/advisory/?id=NC-SA-2020-033	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2020-10-05T13:15:23

Updated: 2020-10-10T23:06:24

Reserved: 2020-01-28T00:00:00

Link: CVE-2020-8228

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-10-05T14:15:13.670

Modified: 2020-10-20T18:56:06.573

Link: CVE-2020-8228

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Nextcloud Preferred Provider", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 1.8.0"}]}], "descriptions": [{"lang": "en", "value": "A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-840", "description": "Business Logic Errors (CWE-840)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-10T23:06:24", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/922470"}, {"tags": ["x_refsource_MISC"], "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-033"}, {"name": "openSUSE-SU-2020:1652", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8228", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Nextcloud Preferred Provider", "version": {"version_data": [{"version_value": "Fixed in 1.8.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Business Logic Errors (CWE-840)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/922470", "refsource": "MISC", "url": "https://hackerone.com/reports/922470"}, {"name": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-033", "refsource": "MISC", "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-033"}, {"name": "openSUSE-SU-2020:1652", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8228", "datePublished": "2020-10-05T13:15:23", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2020-10-10T23:06:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:preferred_providers:1.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9CB6BFB9-C9B8-4BD0-B854-72B6D5D835AB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "67E82302-4B77-44F3-97B1-24C18AC4A35D", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times."}, {"lang": "es", "value": "Una falta de l\u00edmite de velocidad en la aplicaci\u00f3n Preferred Providers versi\u00f3n 1.7.0, permiti\u00f3 a un atacante ajustar la contrase\u00f1a una cantidad de veces no controlada"}], "id": "CVE-2020-8228", "lastModified": "2020-10-20T18:56:06.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-05T14:15:13.670", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/922470"}, {"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-033"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-840"}], "source": "support@hackerone.com", "type": "Secondary"}]}