CVE-2023-32319
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-32319
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-32319.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-32319
- Aliases
-
- GHSA-mr7q-xf62-fw54
- Published
- 2023-05-26T22:49:30.234Z
- Modified
- 2025-11-28T08:30:44.109067Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Basic auth header on WebDAV requests is not brute-force protected in Nextcloud
- Details
-
Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-307" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32319.json" }- References
Affected packages
Git / github.com/nextcloud/server
Affected ranges
Affected versions
v24.*
v24.0.0
v24.0.1
v24.0.10
v24.0.10rc1
v24.0.11rc1
v24.0.1rc1
v24.0.2
v24.0.2rc1
v24.0.3
v24.0.3rc1
v24.0.3rc2
v24.0.4
v24.0.4rc1
v24.0.5
v24.0.5rc1
v24.0.6
v24.0.6rc1
v24.0.7
v24.0.7rc1
v24.0.8
v24.0.8rc1
v24.0.8rc2
v24.0.9
v24.0.9rc1
v24.0.9rc2
v25.*
v25.0.0
v25.0.1
v25.0.1rc1
v25.0.2
v25.0.2rc1
v25.0.2rc2
v25.0.2rc3
v25.0.3
v25.0.3rc1
v25.0.3rc2
v25.0.4
v25.0.4rc1
v25.0.5rc1