Vulnerability Details : CVE-2022-35931
Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available.
Products affected by CVE-2022-35931
- cpe:2.3:a:nextcloud:password_policy:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:password_policy:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:password_policy:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-35931
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 17 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-35931
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.7
|
LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
1.2
|
1.4
|
NIST | |
2.7
|
LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
1.2
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-35931
-
Obscuring a password with a trivial encoding does not protect the password.Assigned by: security-advisories@github.com (Secondary)
-
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-35931
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c7mw-9q4r-8qwr
Generated passwords are not fully validated by HIBPValidator · Advisory · nextcloud/security-advisories · GitHubThird Party Advisory
-
https://github.com/nextcloud/password_policy/pull/363
Shuffle before validating by miaulalala · Pull Request #363 · nextcloud/password_policy · GitHubPatch;Third Party Advisory
Jump to