CVE-2022-31120 LOW

CVE-2022-31120: Federated share accepting/declining is not logged in audit log in Nextcloud Server

Vendor Nextcloud
Product security-advisories
Weakness CWE-778
Published August 4, 2022
Last update April 23, 2025

CVSS base score

2.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Nextcloud server is an open source personal cloud solution. The audit log is used to get a full trail of the actions which has been incompletely populated. In affected versions federated share events were not properly logged which would allow brute force attacks to go unnoticed. This behavior exacerbates the impact of CVE-2022-31118. It is recommended that the Nextcloud Server is upgraded to 22.2.7, 23.0.4 or 24.0.0. There are no workarounds available.

Key dates

02Disclosure timeline

August 4, 2022 CVE published
April 23, 2025 Record updated