Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-28835

Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade.

Published

2023-03-30T19:15:07.020

Last Modified

2024-11-21T07:56:07.340

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.5 (LOW)

Weaknesses

Type: Primary
CWE-338

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 23.0.14	Yes
Application	nextcloud	nextcloud_server	< 24.0.10	Yes
Application	nextcloud	nextcloud_server	< 24.0.10	Yes
Application	nextcloud	nextcloud_server	< 25.0.4	Yes
Application	nextcloud	nextcloud_server	< 25.0.4	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9 Vendor Advisory ([email protected])
https://github.com/nextcloud/server/pull/36093 Issue Tracking, Patch ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/pull/36093 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)