CVE-2023-28847

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28847

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28847.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-28847

Aliases

GHSA-r5wf-xj97-3w7w

Published

2023-04-25T16:32:59.897Z

Modified

2025-11-29T06:23:31.699284Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Nextcloud Server missing brute force protection for passwords of password protected share links

Details

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-307"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28847.json"
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

5f37aacb3194d51503aaa3529ae8f676b32a25d7

Fixed

5589071173b072ae2480be2909287105c8a04773

Database specific

{
    "versions": [
        {
            "introduced": "24.0.0"
        },
        {
            "fixed": "24.0.11"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

20ea9a25353129b56d46951fe7d23939665ab2b2

Fixed

28add7e896b24fee2714b21a12151e4042ab677c

Database specific

{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.5"
        }
    ]
}

Affected versions

v24.*

v24.0.0

v24.0.1

v24.0.10

v24.0.10rc1

v24.0.11rc1

v24.0.1rc1

v24.0.2

v24.0.2rc1

v24.0.3

v24.0.3rc1

v24.0.3rc2

v24.0.4

v24.0.4rc1

v24.0.5

v24.0.5rc1

v24.0.6

v24.0.6rc1

v24.0.7

v24.0.7rc1

v24.0.8

v24.0.8rc1

v24.0.8rc2

v24.0.9

v24.0.9rc1

v24.0.9rc2

v25.*

v25.0.0

v25.0.1

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5rc1