CVE-2022-39346 — LOW (3.5) — White Hats Nepal

Q: How severe is CVE-2022-39346?

CVE-2022-39346 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-39346?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Enterprise Server, Nextcloud Nextcloud Server, Fedoraproject Fedora.

Vulnerability Description

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

CVSS Score

3.5

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Nextcloud	Nextcloud Enterprise Server	< 22.2.10
Nextcloud	Nextcloud Server	< 22.2.10
Fedoraproject	Fedora	35

Related Weaknesses (CWE)

CWE-20 CWE-400

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6w9f-jThird Party Advisory
https://github.com/nextcloud/server/pull/33052PatchThird Party Advisory
https://hackerone.com/reports/1588562Permissions RequiredThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6w9f-jThird Party Advisory
https://github.com/nextcloud/server/pull/33052PatchThird Party Advisory
https://hackerone.com/reports/1588562Permissions RequiredThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2022-39346?

CVE-2022-39346 is a vulnerability with a CVSS score of 3.5 (LOW). Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing da...

How severe is CVE-2022-39346?

CVE-2022-39346 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39346?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Enterprise Server, Nextcloud Nextcloud Server, Fedoraproject Fedora.