Bug 1200124 - (CVE-2022-29243) VUL-0: CVE-2022-29243: nextcloud: unbounded app password length can lead to DoS
(CVE-2022-29243)
VUL-0: CVE-2022-29243: nextcloud: unbounded app password length can lead to DoS
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Eric Schirra
Security Team bot
https://smash.suse.de/issue/333255/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-01 14:35 UTC by Carlos López
Modified: 2022-07-07 08:59 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-06-01 14:35:39 UTC
CVE-2022-29243

Nextcloud Server is the file server software for Nextcloud, a self-hosted
productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size
validation of new session names allows users to create app passwords with long
names. These long names are then loaded into memory on usage, resulting in
impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue.
There are currently no known workarounds available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29243
https://github.com/nextcloud/server/pull/31658
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w
http://www.cvedetails.com/cve/CVE-2022-29243/
https://hackerone.com/reports/1153138
Comment 1 Carlos López 2022-06-01 14:37:46 UTC
Affected:
 - openSUSE:Backports:SLE-15-SP3:Update
 - openSUSE:Backports:SLE-15-SP4:Update
 - openSUSE:Factory
Comment 2 Eric Schirra 2022-07-07 08:59:33 UTC
openSUSE:Backports:SLE-15-SP4:Update has 23.0.5
openSUSE:Factory has 24.02