CVE-2022-24741

High memory usage in Nextcloud server

CVSS 3.5 LOWEPSS 1.6%CWE-400

In short

An attacker can upload specially crafted files to Nextcloud that force the server to use excessive memory and CPU, causing it to slow down or become unavailable to legitimate users. This is a denial of service attack that can be mitigated by disabling preview generation.

Technical detail

CWE-400 (Uncontrolled Resource Consumption) vulnerability in Nextcloud Server allows unauthenticated or authenticated attackers to trigger excessive memory and CPU allocation through maliciously crafted file uploads, resulting in denial of service. The attack requires file upload capability and impacts server availability; mitigation includes upgrading to patched versions (21.0.8, 22.2.4, 23.0.1+) or disabling the preview generation feature via configuration.

Summary generated and translated by AI from the official description.

Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade should disable preview generation with the `'enable_previews'` config flag.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Affected products

nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf3h-xf4q-mh89 https://github.com/nextcloud/server/pull/30291 https://hackerone.com/reports/1261225 https://security.gentoo.org/glsa/202208-17