Skip to content

Missing length validation of user displayname allows to generate an SQL error

Low
nickvergessen published GHSA-6w9f-jgjx-4vj6 Nov 25, 2022

Package

Server (Nextcloud)

Affected versions

< 22.2.10, < 23.0.7, < 24.0.3

Patched versions

22.2.10, 23.0.7, 24.0.3
Server (Nextcloud Enterprise)
< 22.2.10, < 23.0.7, < 24.0.3
22.2.10, 23.0.7, 24.0.3

Description

Impact

When sending huge amount of data to the display name endpoint a user can potentially denial of service the database.

Patches

It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3.
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10, 23.0.7 or 24.0.3.

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Severity

Low
3.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-39346

Weaknesses

Credits