Vulnerability Details : CVE-2023-39960
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available.
Products affected by CVE-2023-39960
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 26.0.0 and before (<) 26.0.4cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 23.0.0 and before (<) 23.0.12.9cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 22.0.0 and before (<) 22.2.10.14cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 24.0.0 and before (<) 24.0.12.5cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 25.0.0 and before (<) 25.0.9cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-39960
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-39960
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
5.0
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
3.1
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-39960
-
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-39960
-
https://github.com/nextcloud/server/pull/38046
fix(dav): Also throw in basic auth requests by nickvergessen · Pull Request #38046 · nextcloud/server · GitHubIssue Tracking;Patch
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9
Improper restriction of excessive authentication attempts on WebDAV endpoint · Advisory · nextcloud/security-advisories · GitHubVendor Advisory
-
https://hackerone.com/reports/1924212
Nextcloud | Report #1924212 - Improper restriction of excessive authentication attempts on WebDAV endpoint | HackerOneThird Party Advisory
Jump to