CVE-2022-29243 MEDIUM

CVE-2022-29243: Improper input-size validation on the user new session name in Nextcloud Server

Vendor Nextcloud

Product security-advisories

Weakness CWE-20 · Input validation

Published May 31, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.

Key dates

02Disclosure timeline

May 31, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-29243 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2022-29243

CWE CWE-20

CVSS 4.3 / MEDIUM

Affected versions

Vendor Nextcloud

Product security-advisories

Affected < 22.2.7

Vendor Nextcloud

Product security-advisories

Affected >= 23.0.0, < 23.0.4

CVE-2022-29243: Improper input-size validation on the user new session name in Nextcloud Server

01Description

02Disclosure timeline

03References

04Related CVE