Headline
CVE-2022-24741: Prevent loading images that would require too much memory. by fancycode · Pull Request #30291 · nextcloud/server
Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade should disable preview generation with the 'enable_previews' config flag.
For most image formats, the header specifies the width/height. PHP allocates an image object from that size, even if the actual
image data is much smaller. This image object size is not limited by the limit configured in PHP.
The memory limit can be configured through config setting “preview_max_memory” and defaults to 128 MBytes which should be enough for most images without filling up all memory.
Signed-off-by: Joachim Bauch [email protected]
Related news
Gentoo Linux Security Advisory 202208-17 - Multiple vulnerabilities have been found in Nextcloud, the worst of which could result in denial of service. Versions less than 23.0.4 are affected.