Bug 1211789 (CVE-2023-32319)

Summary: VUL-0: CVE-2023-32319: nextcloud: basic auth header on WebDAV requests is not brute-force protected
Product: [openSUSE] openSUSE Distribution Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: OtherAssignee: Eric Schirra <ecsos>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2023-05-29 06:40:59 UTC 
Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mr7q-xf62-fw54
Comment 1 Eric Schirra 2023-05-29 07:11:41 UTC 
Tumbleweed, Factory and devel have 25.0.7.
Leap still has the master branch 23 and the community version 23.0.12. No idea if this is also affected.
Major updates are not allowed and an update from 23 to 25 does not work. No idea what I should do.
Comment 2 Eric Schirra 2024-04-16 08:13:25 UTC 
whats going on?
Can i close