Bug 1212640 (CVE-2023-32320) - VUL-0: CVE-2023-32320: nextcloud: bruteforce protected details by sending multiple parallel requests
Summary: VUL-0: CVE-2023-32320: nextcloud: bruteforce protected details by sending mul...
Status: NEW
Alias: CVE-2023-32320
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Eric Schirra
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/370240/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-23 06:55 UTC by Robert Frohl
Modified: 2024-04-16 08:13 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-06-23 06:55:27 UTC 
CVE-2023-32320

Nextcloud Server is a data storage system for Nextcloud, a self-hosted
productivity platform. When multiple requests are sent in parallel, all of them
were executed even if the amount of faulty requests succeeded the limit by the
time the response was sent to the client. This allowed someone to send as many
requests the server could handle in parallel to bruteforce protected details
instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and
26.0.2 and Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12,
23.0.12.7, 24.0.12.2, 25.0.7 and 26.0.2 contain patches for this issue.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32320
https://www.cve.org/CVERecord?id=CVE-2023-32320
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg
https://github.com/nextcloud/server/pull/38274
https://hackerone.com/reports/1918525
Comment 1 Robert Frohl 2023-06-23 06:58:18 UTC 
fixed in Factory, but needed in Backports
Comment 2 Eric Schirra 2023-06-23 12:16:21 UTC 
(In reply to Robert Frohl from comment #1)
> fixed in Factory, but needed in Backports

Unfortunately no chance, because the versions in Leap are too old.
And the displayed update versions are only Enterprise. The versions do not exist in the community version.
Comment 3 Robert Frohl 2023-06-23 16:10:37 UTC 
(In reply to Eric Schirra from comment #2)
> (In reply to Robert Frohl from comment #1)
> > fixed in Factory, but needed in Backports
> 
> Unfortunately no chance, because the versions in Leap are too old.
> And the displayed update versions are only Enterprise. The versions do not
> exist in the community version.

What blocks an update to 25.0.x or 26.0.x in backports ? At least looking at server:php:applications/nextcloud it looks like they build successfully.
Comment 4 Robert Frohl 2023-06-23 16:16:51 UTC 
i.e. wondering if there is something I could help with to unblock the update to a newer version
Comment 5 Eric Schirra 2023-06-23 18:08:29 UTC 
You can only update from one major to the next.

You can't skip any of them.

That leads to a crash.

But it has always been like that.

And even if that works from one major to another when you have an old minor, I don't know yet.
Comment 6 Eric Schirra 2024-04-16 08:13:09 UTC 
whats going on?
Can i close?