Bugzilla – Bug 1205802
VUL-0: CVE-2022-39346: nextcloud: Missing length validation of user displayname allows to generate an SQL error
Last modified: 2024-04-16 08:16:06 UTC
rh#2148815 Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue. https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6w9f-jgjx-4vj6 https://github.com/nextcloud/server/pull/33052 https://hackerone.com/reports/1588562 References: https://bugzilla.redhat.com/show_bug.cgi?id=2148815 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39346 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6w9f-jgjx-4vj6 http://www.cvedetails.com/cve/CVE-2022-39346/ https://github.com/nextcloud/server/pull/33052 https://www.cve.org/CVERecord?id=CVE-2022-39346 https://hackerone.com/reports/1588562
Affected: - openSUSE:Backports:SLE-15-SP3/nextcloud 20.0.7 - openSUSE:Backports:SLE-15-SP4/nextcloud 23.0.5 Not Affected: - openSUSE:Factory/nextcloud 24.0.7
This is an autogenerated message for OBS integration: This bug (1205802) was mentioned in https://build.opensuse.org/request/show/1076615 Backports:SLE-15-SP4 / nextcloud
openSUSE-SU-2023:0083-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1203190,1205802,1208591 CVE References: CVE-2022-35931,CVE-2022-39346,CVE-2023-25579 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): nextcloud-23.0.12-bp154.2.3.1
is accepted