CVE-2023-49792 Bruteforce protection can be bypassed with misconfigured proxy

2023-12-2216:31:17

CWE-307

GitHub_M

www.cve.org

nextcloud

proxy misconfiguration

bypassed protection

cve-2023-49792

authentication vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

9.8

Confidence

High

EPSS

0.001

Percentile

29.9%

JSON

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": ">= 23.0.0, < 23.0.12.13",
        "status": "affected"
      },
      {
        "version": ">= 24.0.0, < 24.0.12.9",
        "status": "affected"
      },
      {
        "version": ">= 25.0.0, < 25.0.13.4",
        "status": "affected"
      },
      {
        "version": ">= 26.0.0, < 26.0.9",
        "status": "affected"
      },
      {
        "version": ">= 27.0.0, < 27.1.4",
        "status": "affected"
      }
    ]
  }
]