Bug 1216298 (CVE-2023-45149) - VUL-0: CVE-2023-45149: nextcloud: Password of talk conversations can be bruteforced
Summary: VUL-0: CVE-2023-45149: nextcloud: Password of talk conversations can be brute...
Status: NEW
Alias: CVE-2023-45149
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Eric Schirra
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/382030/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-17 06:47 UTC by SMASH SMASH
Modified: 2024-04-16 08:00 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-17 06:47:47 UTC 
Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the Nextcloud Talk app is upgraded to 15.0.8, 16.0.6 or 17.1.1. There are no known workarounds for this vulnerability.

References:
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7rf8-pqmj-rpqv
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45149
Comment 1 Eric Schirra 2023-10-18 05:10:33 UTC 
I am not the maintainer of the nextcloud-calender-app package. I do not believe in fragmentation. And the app can be updated within nextcloud. You will even be notified about it by mail. So please address to the right maintainer.
Comment 2 Eric Schirra 2024-04-16 08:00:36 UTC 
What's going on?
Can i close?