Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mr7q-xf62-fw54 | Vendor Advisory |
https://github.com/nextcloud/server/pull/37227 | Patch |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-05-26T22:49:30.234Z
Updated: 2023-05-26T22:49:30.234Z
Reserved: 2023-05-08T13:26:03.879Z
Link: CVE-2023-32319
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-05-26T23:15:17.493
Modified: 2023-06-03T02:58:54.227
Link: CVE-2023-32319
JSON object: View
Redhat Information
No data.
CWE