CVE-2023-32319 HIGH

CVE-2023-32319: Basic auth header on WebDAV requests is not brute-force protected in Nextcloud

Vendor Nextcloud
Product security-advisories
Weakness CWE-307 · Brute force
Published May 26, 2023
Last update January 14, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

May 26, 2023 CVE published
January 14, 2025 Record updated