CVE-2022-31118 MEDIUM

CVE-2022-31118: Missing brute force protection on cloud federation sharing in Nextcloud Server

Vendor Nextcloud
Product security-advisories
Weakness CWE-770 · Uncontrolled resource consumption
Published August 4, 2022
Last update April 23, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

01Description

Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`.

Key dates

02Disclosure timeline

August 4, 2022 CVE published
April 23, 2025 Record updated