Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available.
References
| Link | Resource |
|---|---|
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9 | Vendor Advisory |
| https://github.com/nextcloud/server/pull/38046 | Issue Tracking Patch |
| https://hackerone.com/reports/1924212 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
18 Oct 2023, 19:45
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| First Time |
Nextcloud nextcloud Server
Nextcloud |
|
| CPE | cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:* cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:* |
|
| References | (MISC) https://hackerone.com/reports/1924212 - Third Party Advisory | |
| References | (MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9 - Vendor Advisory | |
| References | (MISC) https://github.com/nextcloud/server/pull/38046 - Issue Tracking, Patch |
13 Oct 2023, 13:46
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-10-13 13:15
Updated : 2023-12-10 15:14
NVD link : CVE-2023-39960
Mitre link : CVE-2023-39960
CVE.ORG link : CVE-2023-39960
JSON object : View
Products Affected
nextcloud
- nextcloud_server
CWE
CWE-307
Improper Restriction of Excessive Authentication Attempts