No password length limit when creating a user as an administrator
Package
Server
(Nextcloud)
Affected versions
< 23.0.11, < 24.0.7, < 25.0.0
Patched versions
23.0.11, 24.0.7, 25.0.0
Server
(Nextcloud Enterprise)
< 22.2.11, < 23.0.11, < 24.0.7, < 25.0.0
22.2.11, 23.0.11, 24.0.7, 25.0.0
Impact
An administrator can cause a limited DoS attack against their own server
Patches
It is recommended that the Nextcloud Server is upgraded to 23.0.11, 24.0.7 or 25.0.0
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.11, 24.0.7 or 25.0.0
Workarounds
Don't create user accounts with long passwords
References
For more information
If you have any questions or comments about this advisory: