Nextcloud Rate Limit Reset via Memcached (v<27.1.0)
CVE-2023-45148 Published on October 16, 2023
Rate limiter not working reliable when Memcached is installed in Nextcloud
Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distributed` to `\OC\Memcache\Redis` and install Redis instead of Memcached.
Vulnerability Analysis
CVE-2023-45148 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Improper Restriction of Excessive Authentication Attempts
The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
Products Associated with CVE-2023-45148
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-45148 are published in these products:
Affected Versions
nextcloud security-advisories:- Version >= 25.0.0, < 25.0.11 is affected.
- Version >= 26.0.0, < 26.0.6 is affected.
- Version >= 27.0.0, < 27.1.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.