Bug 1216298 (CVE-2023-45149)

Summary: VUL-0: CVE-2023-45149: nextcloud: Password of talk conversations can be bruteforced
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Eric Schirra <ecsos>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382030/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-17 06:47:47 UTC 
Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the Nextcloud Talk app is upgraded to 15.0.8, 16.0.6 or 17.1.1. There are no known workarounds for this vulnerability.

References:
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7rf8-pqmj-rpqv
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45149
Comment 1 Eric Schirra 2023-10-18 05:10:33 UTC 
I am not the maintainer of the nextcloud-calender-app package. I do not believe in fragmentation. And the app can be updated within nextcloud. You will even be notified about it by mail. So please address to the right maintainer.
Comment 2 Eric Schirra 2024-04-16 08:00:36 UTC 
What's going on?
Can i close?