Bug 1216297 (CVE-2023-45148) - VUL-0: CVE-2023-45148: nextcloud: Rate limiter not working reliable when Memcached is installed
Summary: VUL-0: CVE-2023-45148: nextcloud: Rate limiter not working reliable when Memc...
Status: NEW
Alias: CVE-2023-45148
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Eric Schirra
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/382015/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-17 06:47 UTC by SMASH SMASH
Modified: 2024-04-16 07:59 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-17 06:47:39 UTC 
Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distributed` to `\OC\Memcache\Redis` and install Redis instead of Memcached.

References:
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xmhp-7vr4-hp63
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45148
Comment 1 Eric Schirra 2023-10-18 05:11:48 UTC 
In devel, factory and Tumbleweed there is 27.1.2
Last version in branch 24 is 24.0.12.
But 24 is End of Life since 2023-04.
And i have no rights for SLE.
Comment 4 Eric Schirra 2024-04-16 07:59:41 UTC 
What's going on?
Can i close?