Vulnerability Details : CVE-2023-28847
Potential exploit
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available.
Products affected by CVE-2023-28847
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 24.0.0 and before (<) 24.0.11cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 25.0.0 and before (<) 25.0.5cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 23.0.0 and before (<) 23.0.12.6cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28847
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28847
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
3.1
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
1.6
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-28847
-
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-28847
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w
Missing brute force protection for passwords of password protected share links · Advisory · nextcloud/security-advisories · GitHubVendor Advisory
-
https://hackerone.com/reports/1894653
HackerOneExploit;Issue Tracking;Third Party Advisory
-
https://github.com/nextcloud/server/pull/35057
Add brute force protection on all methods wrapped by PublicShareMiddleware by julien-nc · Pull Request #35057 · nextcloud/server · GitHubIssue Tracking;Patch
Jump to