Impact
Nextcloud Server did not implement a database backend for rate-limiting purposes, any component of Nextcloud using rate-limits (as as AnonRateThrottle or UserRateThrottle) was thus not rate limited on instances not having a memory cache backend configured.
In the case of a default installation this would notably include the rate-limits on the two factor codes.
Patches
It is recommended that the Nextcloud Server is upgraded to 20.0.13, 21.0.5 or 22.2.0.
Workarounds
Enable a memory cache backend in config.php, such as shown in our config.sample.php.
References
For more information
If you have any questions or comments about this advisory:
Impact
Nextcloud Server did not implement a database backend for rate-limiting purposes, any component of Nextcloud using rate-limits (as as
AnonRateThrottleorUserRateThrottle) was thus not rate limited on instances not having a memory cache backend configured.In the case of a default installation this would notably include the rate-limits on the two factor codes.
Patches
It is recommended that the Nextcloud Server is upgraded to 20.0.13, 21.0.5 or 22.2.0.
Workarounds
Enable a memory cache backend in
config.php, such as shown in ourconfig.sample.php.References
For more information
If you have any questions or comments about this advisory: