CVE-2022-35931 LOW

CVE-2022-35931: Nextcloud Password Policy's generated passwords are not fully validated by HIBPValidator

Vendor Nextcloud
Product security-advisories
Weakness CWE-261
Published September 6, 2022
Last update April 23, 2025

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available.

Key dates

02Disclosure timeline

September 6, 2022 CVE published
April 23, 2025 Record updated