Описание
Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Ссылки
- Vendor Advisory
- Patch
- Vendor Advisory
- Patch
Уязвимые конфигурации
Конфигурация 1Версия от 24.0.0 (включая) до 24.0.11 (исключая)Версия от 25.0.0 (включая) до 25.0.5 (исключая)
Одно из
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
EPSS
Процентиль: 43%
0.00202
Низкий
8.1 High
CVSS3
6.5 Medium
CVSS3
Дефекты
CWE-307
CWE-307
Связанные уязвимости
CVSS3: 8.1
debian
около 2 лет назад
Nextcloud server is an open source personal cloud implementation. Miss ...
EPSS
Процентиль: 43%
0.00202
Низкий
8.1 High
CVSS3
6.5 Medium
CVSS3
Дефекты
CWE-307
CWE-307