CVE-2023-35172 – This vulnerability allows attackers to brute-fo... (How to Fix)

Q: What is the severity of CVE-2023-35172?

CVE-2023-35172 has a CVSS score of 8.7 (HIGH). This vulnerability allows attackers to brute-force password reset links in NextCloud Server and NextCloud Enterprise Server, potentially enabling unauthorized account access. Affected users include all organizations running vulnerable versions of NextCloud's self-hosted file storage and productivity platform.

📋 TL;DR

This vulnerability allows attackers to brute-force password reset links in NextCloud Server and NextCloud Enterprise Server, potentially enabling unauthorized account access. Affected users include all organizations running vulnerable versions of NextCloud's self-hosted file storage and productivity platform.

💻 Affected Systems

Products:

NextCloud Server
NextCloud Enterprise Server

Versions: NextCloud Server: 25.0.0-25.0.6, 26.0.0-26.0.1; NextCloud Enterprise Server: 21.0.0-21.0.9.11, 22.0.0-22.2.10.11, 23.0.0-23.0.12.6, 24.0.0-24.0.12.1, 25.0.0-25.0.6, 26.0.0-26.0.1

Operating Systems: All platforms running NextCloud

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within affected version ranges are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to user accounts, potentially compromising sensitive data, performing unauthorized actions, or escalating privileges within the NextCloud instance.

🟠

Likely Case

Attackers reset passwords for targeted accounts, gaining access to files and functionality available to those users, potentially leading to data theft or further system compromise.

🟢

If Mitigated

With proper rate limiting and monitoring, brute-force attempts are detected and blocked before successful exploitation, limiting impact to isolated incidents.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Brute-force attacks require no authentication and can be automated with simple tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NextCloud Server: 25.0.7, 26.0.2; NextCloud Enterprise Server: 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, 26.0.2

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6

Restart Required: No

Instructions:

1. Backup your NextCloud instance. 2. Update to the patched version via NextCloud's updater or manual installation. 3. Verify the update completed successfully.

🧯 If You Can't Patch

Implement strict rate limiting on password reset endpoints via web application firewall or reverse proxy.
Monitor logs for excessive password reset attempts and implement alerting.

🔍 How to Verify

Check if Vulnerable:

Check your NextCloud version via the admin dashboard or by examining config/config.php for 'version' field.

Check Version:

php occ config:system:get version

Verify Fix Applied:

Confirm version is updated to patched versions listed above and test password reset functionality with monitoring tools.

📡 Detection & Monitoring

Log Indicators:

Multiple failed password reset attempts from single IP
Unusual patterns of password reset requests

Network Indicators:

High volume of POST requests to /index.php/lostpassword/* endpoints

SIEM Query:

source="nextcloud.log" AND "lostpassword" AND status=200 | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-35172

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-307

Published: June 23, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 Vendor Advisory
https://github.com/nextcloud/server/pull/38267 Issue Tracking
https://hackerone.com/reports/1987062 Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 Vendor Advisory
https://github.com/nextcloud/server/pull/38267 Issue Tracking
https://hackerone.com/reports/1987062 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35172, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nextcloud Server by Nextcloud

Nextcloud Server by Nextcloud

Nextcloud Server by Nextcloud

Nextcloud Server by Nextcloud

Nextcloud Server by Nextcloud

Nextcloud Server by Nextcloud

Nextcloud Server by Nextcloud

Nextcloud Server by Nextcloud

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities