CVE-2022-31118
MEDIUMNextcloud <22.2.8, <23.0.5, <24.0.1 - Info Disclosure
Title source: llmDescription
Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vwh-5v93-3vcq
Patch, Third Party Advisory x_refsource_misc
https://github.com/nextcloud/server/pull/32843/commits/6eb692da7fe73c899cb6a8d2aa045eddb1f14018
Scores
CVSS v3
6.5
EPSS
0.0024
EPSS Percentile
47.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
CWE-307
Status
published
Products (1)
nextcloud/nextcloud_server
< 22.2.9
Published
Aug 04, 2022
Tracked Since
Feb 18, 2026