Skip to content

Improper input-size validation on the user new session name

Moderate
nickvergessen published GHSA-7cwm-qph5-4h5w May 30, 2022

Package

Server (Nextcloud)

Affected versions

< 22.2.7, < 23.0.4

Patched versions

22.2.7, 23.0.4

Description

Impact

Missing input-size validation of new session names allows users to create app passwords with long names which are then loaded into memory on usage, resulting in impacted performance.

Patches

It is recommended that the Nextcloud Server is upgraded to 22.2.7 or 23.0.4

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVE ID

CVE-2022-29243

Weaknesses