CVE-2022-41969
low-risk
Published 2022-12-01
Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create user accounts with long passwords.
Do I need to act?
-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.4/10
Low
NETWORK
/ LOW complexity
Affected Products (2)
Affected Vendors
References (6)
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j...
Permissions Required
https://hackerone.com/reports/1727424
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gm7-j...
Permissions Required
https://hackerone.com/reports/1727424
21
/ 100
low-risk
Severity
13/34 · Low
Exploitability
1/34 · Minimal
Exposure
7/34 · Low