Nextcloud PasswordPolicy: Random Gen Yields Blocked Common Passwords v<22.2.10
CVE-2022-35931 Published on September 6, 2022
Nextcloud Password Policy's generated passwords are not fully validated by HIBPValidator
Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available.
Vulnerability Analysis
CVE-2022-35931 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Weak Encoding for Password
Obscuring a password with a trivial encoding does not protect the password. Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. A programmer can attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password.
Products Associated with CVE-2022-35931
stack.watch emails you whenever new vulnerabilities are published in Nextcloud Password Policy or Nextcloud. Just hit a watch button to start following.
Affected Versions
nextcloud security-advisories:- Version >= 24.0.0, < 24.0.3 is affected.
- Version < 22.2.10 is affected.
- Version >= 23.0.0, < 23.0.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.