Bug 1212714 (CVE-2023-35172)

Summary: VUL-0: CVE-2023-35172: NextCloud: Password reset endpoint is not brute force protected
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Eric Schirra <ecsos>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370437/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-06-26 08:45:41 UTC 
CVE-2023-35172

NextCloud Server and NextCloud Enterprise Server provide file storage for
Nextcloud, a self-hosted productivity platform. In NextCloud Server versions
25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server
versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until
23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2,
an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7
and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7,
24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known
workarounds are available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-35172
https://bugzilla.redhat.com/show_bug.cgi?id=2217313
https://www.cve.org/CVERecord?id=CVE-2023-35172
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6
https://github.com/nextcloud/server/pull/38267
https://hackerone.com/reports/1987062
Comment 1 Cathy Hu 2023-06-26 08:47:08 UTC 
Not affected, closing
- openSUSE:Factory/nextcloud               26.0.3