CVE-2023-45149

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-45149

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-45149.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-45149

Aliases

GHSA-7rf8-pqmj-rpqv

Published

2023-10-16T19:03:20Z

Modified

2025-11-05T01:19:20.230106Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Password of talk conversations can be bruteforced in Nextcloud

Details

Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the Nextcloud Talk app is upgraded to 15.0.8, 16.0.6 or 17.1.1. There are no known workarounds for this vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-307"
    ]
}

References

Affected packages

Git / github.com/nextcloud/spreed

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/spreed
Events: Introduced

7149ff90e030daff312bf973d5c9b219e0fa6061

Fixed

9c12a6414fc12d6bb81cea387efded16f0301fc5

Affected versions

v15.*

v15.0.0

v15.0.1

v15.0.2

v15.0.3

v15.0.4

v15.0.5

v15.0.6

v15.0.7

Git / github.com/nextcloud/talk-android

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/talk-android
Events: Introduced

920e441960fb103e040a5d1ae2da1626ed5b8b83

Fixed

3d39b577820b92b77ab9760afbe313bae47c8ce4