https://bugzilla.suse.com/show_bug.cgi?id=1214175 Bug ID: 1214175 Summary: VUL-0: CVE-2023-39958: nextcloud: missing bruteforce protection for client secrets of configured OAuth2 clients Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/374995/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos@schirra.net Reporter: carlos.lopez@suse.com QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- CVE-2023-39958 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39958 https://www.cve.org/CVERecord?id=CVE-2023-39958 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv... https://github.com/nextcloud/server/pull/38773 https://hackerone.com/reports/1258448 -- You are receiving this mail because: You are on the CC list for the bug.