Missing length validation of user displayname allows to generate an SQL error
Package
Server
(Nextcloud)
Affected versions
< 22.2.10, < 23.0.7, < 24.0.3
Patched versions
22.2.10, 23.0.7, 24.0.3
Server
(Nextcloud Enterprise)
< 22.2.10, < 23.0.7, < 24.0.3
22.2.10, 23.0.7, 24.0.3
Impact
When sending huge amount of data to the display name endpoint a user can potentially denial of service the database.
Patches
It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3.
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10, 23.0.7 or 24.0.3.
Workarounds
No workaround available
References
For more information
If you have any questions or comments about this advisory: