Bug 1216299 (CVE-2023-45150) - VUL-0: CVE-2023-45150: nextcloud: Inviting excessive long email addresses to a calendar event makes the server unresponsive
Summary: VUL-0: CVE-2023-45150: nextcloud: Inviting excessive long email addresses to ...
Status: NEW
Alias: CVE-2023-45150
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Eric Schirra
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/382031/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-17 06:47 UTC by SMASH SMASH
Modified: 2024-04-16 08:00 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-17 06:47:52 UTC 
Nextcloud calendar is a calendar app for the Nextcloud server platform. Due to missing precondition checks the server was trying to validate strings of any length as email addresses even when megabytes of data were provided, eventually making the server busy and unresponsive. It is recommended that the Nextcloud Calendar app is upgraded to 4.4.4. The only workaround for users unable to upgrade is to disable the calendar app.

References:
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r936-8gwm-w452
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45150
Comment 1 Eric Schirra 2023-10-18 05:10:16 UTC 
I am not the maintainer of the nextcloud-calender-app package. I do not believe in fragmentation. And the app can be updated within nextcloud. You will even be notified about it by mail. So please address to the right maintainer.
Comment 2 Eric Schirra 2024-04-16 08:00:51 UTC 
What's going on?
Can i close?