Lucene search

NextcloudGHSA-WXX7-W5P4-7X4C

HistoryOct 27, 2022 - 6:51 a.m.

Database resource exhaustion for logged-in users via sharee recommendations with circles

2022-10-2706:51:27

github.com

nextcloud

upgrade

circles app

resource exhaustion

security advisory

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

39.7%

JSON

Description

Impact

An logged-in attacker canslow down the system by generating a lot of database/cpu load.

Patches

It is recommended that the Nextcloud Server is upgraded to 23.0.10 or 24.0.6
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10, 23.0.10 or 24.0.6

Workarounds

Disable the Circles app.

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

github.com/nextcloud/circles/pull/1147

hackerone.com/reports/1688199

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

39.7%

JSON

Related for GHSA-WXX7-W5P4-7X4C