Bug 1212640 (CVE-2023-32320)

Summary: VUL-0: CVE-2023-32320: nextcloud: bruteforce protected details by sending multiple parallel requests
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Eric Schirra <ecsos>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370240/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-06-23 06:55:27 UTC 
CVE-2023-32320

Nextcloud Server is a data storage system for Nextcloud, a self-hosted
productivity platform. When multiple requests are sent in parallel, all of them
were executed even if the amount of faulty requests succeeded the limit by the
time the response was sent to the client. This allowed someone to send as many
requests the server could handle in parallel to bruteforce protected details
instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and
26.0.2 and Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12,
23.0.12.7, 24.0.12.2, 25.0.7 and 26.0.2 contain patches for this issue.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32320
https://www.cve.org/CVERecord?id=CVE-2023-32320
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg
https://github.com/nextcloud/server/pull/38274
https://hackerone.com/reports/1918525
Comment 1 Robert Frohl 2023-06-23 06:58:18 UTC 
fixed in Factory, but needed in Backports
Comment 2 Eric Schirra 2023-06-23 12:16:21 UTC 
(In reply to Robert Frohl from comment #1)
> fixed in Factory, but needed in Backports

Unfortunately no chance, because the versions in Leap are too old.
And the displayed update versions are only Enterprise. The versions do not exist in the community version.
Comment 3 Robert Frohl 2023-06-23 16:10:37 UTC 
(In reply to Eric Schirra from comment #2)
> (In reply to Robert Frohl from comment #1)
> > fixed in Factory, but needed in Backports
> 
> Unfortunately no chance, because the versions in Leap are too old.
> And the displayed update versions are only Enterprise. The versions do not
> exist in the community version.

What blocks an update to 25.0.x or 26.0.x in backports ? At least looking at server:php:applications/nextcloud it looks like they build successfully.
Comment 4 Robert Frohl 2023-06-23 16:16:51 UTC 
i.e. wondering if there is something I could help with to unblock the update to a newer version
Comment 5 Eric Schirra 2023-06-23 18:08:29 UTC 
You can only update from one major to the next.

You can't skip any of them.

That leads to a crash.

But it has always been like that.

And even if that works from one major to another when you have an old minor, I don't know yet.
Comment 6 Eric Schirra 2024-04-16 08:13:09 UTC 
whats going on?
Can i close?