Skip to content

Insecure randomness for default password in file sharing when password policy app is disabled

Low
nickvergessen published GHSA-7w2p-rp9m-9xp9 Mar 30, 2023

Package

Server (Nextcloud)

Affected versions

>= 24.0.0, >= 25.0.0

Patched versions

24.0.10, 25.0.4
Server (Nextcloud Enterprise)
>= 23.0.0, >= 24.0.0, >= 25.0.0
23.0.14, 24.0.10, 25.0.4

Description

Impact

The generated fallback password when creating a share was using a weak complexity, so when the sharer did not change it the password would be guessable in an acceptable time frame.

Patches

It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4
It is recommended that the Nextcloud Enterprise Server is upgraded to 23.0.14 or 24.0.10 or 25.0.4

Workarounds

  • Enable password policy app
  • Overwrite the default password when creating a share

References

For more information

If you have any questions or comments about this advisory:

Severity

Low
3.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2023-28835

Weaknesses