CVE-2022-35931

Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available.

CVSS v3.0 2.7 LOW

2.7^/10

CVSS v3.0 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c7mw-9q4r-8qwr	Third Party Advisory
https://github.com/nextcloud/password_policy/pull/363	Patch Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:password_policy::::::::
	cpe:2.3:a:nextcloud:password_policy::::::::
	cpe:2.3:a:nextcloud:password_policy::::::::

Information

Published : 2022-09-06 11:15

Updated : 2022-09-08 19:34

NVD link : CVE-2022-35931

Mitre link : CVE-2022-35931

JSON object : View

CWE

CWE-326

Inadequate Encryption Strength

Advertisement

Products Affected

nextcloud

password_policy

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c7mw-9q4r-8qwr", "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c7mw-9q4r-8qwr", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/nextcloud/password_policy/pull/363", "name": "https://github.com/nextcloud/password_policy/pull/363", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-326"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-35931", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}}, "publishedDate": "2022-09-06T18:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:nextcloud:password_policy:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "22.2.10"}, {"cpe23Uri": "cpe:2.3:a:nextcloud:password_policy:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "24.0.3", "versionStartIncluding": "24.0.0"}, {"cpe23Uri": "cpe:2.3:a:nextcloud:password_policy:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "23.0.7", "versionStartIncluding": "23.0.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-09-09T02:34Z"}