Bug 1216254 (CVE-2023-39960) - VUL-0: CVE-2023-39960: nextcloud: WebDAV API vulnerable to brute force password attacks
Summary: VUL-0: CVE-2023-39960: nextcloud: WebDAV API vulnerable to brute force passwo...
Status: NEW
Alias: CVE-2023-39960
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Eric Schirra
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/381799/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-16 06:20 UTC by SMASH SMASH
Modified: 2024-04-16 08:01 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-16 06:20:39 UTC 
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39960
Comment 1 Eric Schirra 2023-10-16 11:04:41 UTC 
In devel, factory and Tumbleweed there is 27.1.2
Last version in branch 24 is 24.0.12.
But 24 is End of Life since 2023-04.
And i have no rights for SLE.
Comment 2 Eric Schirra 2024-04-16 08:01:05 UTC 
What's going on?
Can i close?