Basic auth header on WebDAV requests is not brute-force protected
Package
Server
(Nextcloud)
Affected versions
>= 24.0.0, >= 25.0.0
Patched versions
24.0.11, 25.0.5, 26.0.0
Server
(Nextcloud Enterprise)
>= 23.0.0, >= 24.0.0, >= 25.0.0
23.0.12.6, 24.0.12, 25.0.5, 26.0.0
Impact
Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address.
Patches
It is recommended that the Nextcloud Server is upgraded to 24.0.11, 25.0.5 or 26.0.0
It is recommended that the Nextcloud Enterprise Server is upgraded to 23.0.12.6, 24.0.11, 25.0.5 or 26.0.0
Workarounds
References
For more information
If you have any questions or comments about this advisory: