Vulnerability Details : CVE-2022-29243
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.
Vulnerability category: Input validation
Products affected by CVE-2022-29243
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29243
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29243
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
2.8
|
1.4
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
2.8
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-29243
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Primary)
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-29243
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w
Improper input-size validation on the user new session name · Advisory · nextcloud/security-advisories · GitHubThird Party Advisory
-
https://security.gentoo.org/glsa/202208-17
Nextcloud: Multiple Vulnerabilities (GLSA 202208-17) — Gentoo securityThird Party Advisory
-
https://github.com/nextcloud/server/pull/31658
Limit the length of app password names by nickvergessen · Pull Request #31658 · nextcloud/server · GitHubPatch;Third Party Advisory
-
https://hackerone.com/reports/1153138
#1153138 Improper input-size validation on the user new session name can result in server-side DDoS.Third Party Advisory
Jump to