#VU66130 Input validation error in Nextcloud Server - CVE-2022-31120


Vulnerability identifier: #VU66130

Vulnerability risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-31120

CWE-ID: CWE-20

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Nextcloud Server
Client/Desktop applications / Messaging software

Vendor: Nextcloud

Description

The vulnerability allows a remote administrator on the local network to compromise the target system.

The vulnerability exists due to dederated share accepting/declining is not logged in audit log, leading to brute force attacks to go unnoticed

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Nextcloud Server: 22.2.0 - 23.0.3

External links
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9qvg-7fwg-722x
https://github.com/nextcloud/server/pull/31594/commits/1d8bf9a89c6856218802a1d365000a5831be8655
https://portal.nextcloud.com/article/using-the-audit-log-44.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Input validation error in Nextcloud Server