Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39346: Missing length validation of user displayname allows to generate an SQL error

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

CVE
Open in Source
#sql#dos#perl

Package

Server (Nextcloud)

Affected versions

< 22.2.10, < 23.0.7, < 24.0.3

Patched versions

22.2.10, 23.0.7, 24.0.3

Server (Nextcloud Enterprise)

< 22.2.10, < 23.0.7, < 24.0.3

Description

Impact

When sending huge amount of data to the display name endpoint a user can potentially denial of service the database.

Patches

It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3.
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10, 23.0.7 or 24.0.3.

Workarounds

No workaround available

References

  • HackerOne
  • PullRequest

For more information

If you have any questions or comments about this advisory:

  • Create a post in nextcloud/security-advisories
  • Customers: Open a support ticket at support.nextcloud.com

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE