1211789 – (CVE-2023-32319) VUL-0: CVE-2023-32319: nextcloud: basic auth header on WebDAV requests is not brute-force protected

Bug 1211789 (CVE-2023-32319) - VUL-0: CVE-2023-32319: nextcloud: basic auth header on WebDAV requests is not brute-force protected

Summary: VUL-0: CVE-2023-32319: nextcloud: basic auth header on WebDAV requests is not...

Status:	NEW

Alias:	CVE-2023-32319

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Other (show other bugs)
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Eric Schirra
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-05-29 06:40 UTC by Gianluca Gabrielli
Modified:	2024-04-16 08:13 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2023-05-29 06:40:59 UTC

Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mr7q-xf62-fw54

Comment 1 Eric Schirra 2023-05-29 07:11:41 UTC

Tumbleweed, Factory and devel have 25.0.7.
Leap still has the master branch 23 and the community version 23.0.12. No idea if this is also affected.
Major updates are not allowed and an update from 23 to 25 does not work. No idea what I should do.

Comment 2 Eric Schirra 2024-04-16 08:13:25 UTC

whats going on?
Can i close