Improper Restriction of Excessive Authentication Attempts in Nextcloud Server and Enterprise Server

Published: 2023-10-17

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2023-45148
CWE-ID	CWE-307
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Nextcloud Enterprise Server Client/Desktop applications / Messaging software Nextcloud Server Client/Desktop applications / Messaging software
Vendor	Nextcloud

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Improper Restriction of Excessive Authentication Attempts

EUVDB-ID: #VU82071

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-45148

CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper rate limiter when Memcached is installed. A remote user can cause the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Nextcloud Enterprise Server: 22.0.0 - 27.0.2

Nextcloud Server: 25.0.0 - 27.0.2

CPE2.3

External links

https://github.com/nextcloud/server/pull/40293
https://hackerone.com/reports/2110945
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xmhp-7vr4-hp63

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.