CVE-2022-29243 (GCVE-0-2022-29243)

Vulnerability from cvelistv5 – Published: 2022-05-31 16:15 – Updated: 2025-04-23 18:21
VLAI?
Summary
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE
  • CWE-20 - Improper Input Validation
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
Vendor Product Version
nextcloud security-advisories Affected: < 22.2.7
Affected: >= 23.0.0, < 23.0.4
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:17:54.531Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/server/pull/31658"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1153138"
          },
          {
            "name": "GLSA-202208-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-17"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-29243",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T14:06:33.376288Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:21:13.118Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "security-advisories",
          "vendor": "nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 22.2.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 23.0.0, \u003c 23.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-11T00:08:59.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/server/pull/31658"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1153138"
        },
        {
          "name": "GLSA-202208-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-17"
        }
      ],
      "source": {
        "advisory": "GHSA-7cwm-qph5-4h5w",
        "discovery": "UNKNOWN"
      },
      "title": "Improper input-size validation on the user new session name in Nextcloud Server",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-29243",
          "STATE": "PUBLIC",
          "TITLE": "Improper input-size validation on the user new session name in Nextcloud Server"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "security-advisories",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 22.2.7"
                          },
                          {
                            "version_value": "\u003e= 23.0.0, \u003c 23.0.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "nextcloud"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20: Improper Input Validation"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400: Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w",
              "refsource": "CONFIRM",
              "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w"
            },
            {
              "name": "https://github.com/nextcloud/server/pull/31658",
              "refsource": "MISC",
              "url": "https://github.com/nextcloud/server/pull/31658"
            },
            {
              "name": "https://hackerone.com/reports/1153138",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1153138"
            },
            {
              "name": "GLSA-202208-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-17"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-7cwm-qph5-4h5w",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-29243",
    "datePublished": "2022-05-31T16:15:14.000Z",
    "dateReserved": "2022-04-13T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:21:13.118Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"22.2.7\", \"matchCriteriaId\": \"1569E72C-B9ED-4CED-ADBC-77DD1C02E1A6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\", \"versionStartExcluding\": \"23.0.0\", \"versionEndExcluding\": \"23.0.4\", \"matchCriteriaId\": \"C7469702-2C54-4F44-A760-03601C53FBD4\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.\"}, {\"lang\": \"es\", \"value\": \"Nextcloud Server es el software de servidor de archivos de Nextcloud, una plataforma de productividad auto alojada. En versiones anteriores a 22.2.7 y 23.0.4, una falta de comprobaci\\u00f3n del tama\\u00f1o de la entrada de los nuevos nombres de sesi\\u00f3n permite a usuarios crear contrase\\u00f1as de aplicaciones con nombres largos. Estos nombres largos son cargados en la memoria durante el uso, resultando en un impacto en el rendimiento. Las versiones 22.2.7 y 23.0.4 contienen una correci\\u00f3n para este problema. Actualmente no se presentan mitigaciones conocidas disponibles\"}]",
      "id": "CVE-2022-29243",
      "lastModified": "2024-11-21T06:58:47.517",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:N/A:P\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-05-31T17:15:07.753",
      "references": "[{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/server/pull/31658\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1153138\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202208-17\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/server/pull/31658\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1153138\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202208-17\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}, {\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-29243\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-05-31T17:15:07.753\",\"lastModified\":\"2024-11-21T06:58:47.517\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.\"},{\"lang\":\"es\",\"value\":\"Nextcloud Server es el software de servidor de archivos de Nextcloud, una plataforma de productividad auto alojada. En versiones anteriores a 22.2.7 y 23.0.4, una falta de comprobaci\u00f3n del tama\u00f1o de la entrada de los nuevos nombres de sesi\u00f3n permite a usuarios crear contrase\u00f1as de aplicaciones con nombres largos. Estos nombres largos son cargados en la memoria durante el uso, resultando en un impacto en el rendimiento. Las versiones 22.2.7 y 23.0.4 contienen una correci\u00f3n para este problema. Actualmente no se presentan mitigaciones conocidas disponibles\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:N/A:P\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"22.2.7\",\"matchCriteriaId\":\"1569E72C-B9ED-4CED-ADBC-77DD1C02E1A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\",\"versionStartExcluding\":\"23.0.0\",\"versionEndExcluding\":\"23.0.4\",\"matchCriteriaId\":\"C7469702-2C54-4F44-A760-03601C53FBD4\"}]}]}],\"references\":[{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/server/pull/31658\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1153138\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202208-17\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/server/pull/31658\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1153138\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202208-17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"security-advisories\", \"vendor\": \"nextcloud\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 22.2.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 23.0.0, \u003c 23.0.4\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"version\": \"3.1\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\", \"lang\": \"en\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-08-11T00:08:59.000Z\", \"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\"}, \"references\": [{\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/nextcloud/server/pull/31658\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://hackerone.com/reports/1153138\"}, {\"name\": \"GLSA-202208-17\", \"tags\": [\"vendor-advisory\", \"x_refsource_GENTOO\"], \"url\": \"https://security.gentoo.org/glsa/202208-17\"}], \"source\": {\"advisory\": \"GHSA-7cwm-qph5-4h5w\", \"discovery\": \"UNKNOWN\"}, \"title\": \"Improper input-size validation on the user new session name in Nextcloud Server\", \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security-advisories@github.com\", \"ID\": \"CVE-2022-29243\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Improper input-size validation on the user new session name in Nextcloud Server\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"security-advisories\", \"version\": {\"version_data\": [{\"version_value\": \"\u003c 22.2.7\"}, {\"version_value\": \"\u003e= 23.0.0, \u003c 23.0.4\"}]}}]}, \"vendor_name\": \"nextcloud\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.\"}]}, \"impact\": {\"cvss\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\", \"version\": \"3.1\"}}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-20: Improper Input Validation\"}]}, {\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-400: Uncontrolled Resource Consumption\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w\", \"refsource\": \"CONFIRM\", \"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w\"}, {\"name\": \"https://github.com/nextcloud/server/pull/31658\", \"refsource\": \"MISC\", \"url\": \"https://github.com/nextcloud/server/pull/31658\"}, {\"name\": \"https://hackerone.com/reports/1153138\", \"refsource\": \"MISC\", \"url\": \"https://hackerone.com/reports/1153138\"}, {\"name\": \"GLSA-202208-17\", \"refsource\": \"GENTOO\", \"url\": \"https://security.gentoo.org/glsa/202208-17\"}]}, \"source\": {\"advisory\": \"GHSA-7cwm-qph5-4h5w\", \"discovery\": \"UNKNOWN\"}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T06:17:54.531Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7cwm-qph5-4h5w\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/nextcloud/server/pull/31658\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://hackerone.com/reports/1153138\"}, {\"name\": \"GLSA-202208-17\", \"tags\": [\"vendor-advisory\", \"x_refsource_GENTOO\", \"x_transferred\"], \"url\": \"https://security.gentoo.org/glsa/202208-17\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-29243\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T14:06:33.376288Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T14:06:34.779Z\"}}]}",
      "cveMetadata": "{\"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"cveId\": \"CVE-2022-29243\", \"datePublished\": \"2022-05-31T16:15:14.000Z\", \"dateReserved\": \"2022-04-13T00:00:00.000Z\", \"dateUpdated\": \"2025-04-23T18:21:13.118Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.