CVE-2022-31118 : Nextcloud server is an open source personal cloud solution. In affected versions

Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`.

Published 2022-08-04 17:15:08

Updated 2022-08-10 15:31:24

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-31118

Nextcloud » Nextcloud Server
Versions before (<) 22.2.9
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Server
Versions from including (>=) 23.0.0 and before (<) 23.0.6
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Server
Versions from including (>=) 24.0.0 and before (<) 24.0.2
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-31118

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 28 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-31118

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L	3.9	2.5	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: Low

CWE ids for CVE-2022-31118

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Assigned by: nvd@nist.gov (Primary)
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2022-31118

https://github.com/nextcloud/server/pull/32843/commits/6eb692da7fe73c899cb6a8d2aa045eddb1f14018

Correctly log failed attempts by nickvergessen · Pull Request #32843 · nextcloud/server · GitHub
Patch;Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq

Missing brute force protection on cloud federation sharing · Advisory · nextcloud/security-advisories · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-31118

Products affected by CVE-2022-31118

Exploit prediction scoring system (EPSS) score for CVE-2022-31118

CVSS scores for CVE-2022-31118

CWE ids for CVE-2022-31118

References for CVE-2022-31118