Skip to content

Database resource exhaustion for logged-in users via sharee recommendations with circles

Moderate
nickvergessen published GHSA-wxx7-w5p4-7x4c Oct 27, 2022

Package

Server (Nextcloud)

Affected versions

< 23.0.10, < 24.0.6

Patched versions

23.0.10, 24.0.6
Server (Nextcloud Enterprise)
< 22.2.10, < 23.0.10, < 24.0.6
22.2.10, 23.0.10, 24.0.6

Description

Impact

An logged-in attacker canslow down the system by generating a lot of database/cpu load.

Patches

It is recommended that the Nextcloud Server is upgraded to 23.0.10 or 24.0.6
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10, 23.0.10 or 24.0.6

Workarounds

Disable the Circles app.

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
4.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-39330

Weaknesses

Credits