Skip to content

Basic auth header on WebDAV requests is not brute-force protected

High
nickvergessen published GHSA-mr7q-xf62-fw54 May 24, 2023

Package

Server (Nextcloud)

Affected versions

>= 24.0.0, >= 25.0.0

Patched versions

24.0.11, 25.0.5, 26.0.0
Server (Nextcloud Enterprise)
>= 23.0.0, >= 24.0.0, >= 25.0.0
23.0.12.6, 24.0.12, 25.0.5, 26.0.0

Description

Impact

Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address.

Patches

It is recommended that the Nextcloud Server is upgraded to 24.0.11, 25.0.5 or 26.0.0
It is recommended that the Nextcloud Enterprise Server is upgraded to 23.0.12.6, 24.0.11, 25.0.5 or 26.0.0

Workarounds

  • No workaround available

References

For more information

If you have any questions or comments about this advisory:

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2023-32319

Weaknesses

Credits