What is CVE-2023-28835?

CVE-2023-28835 is a vulnerability in Nextcloud server that allows an attacker to guess the generated fallback password when creating a share.

How does CVE-2023-28835 affect Nextcloud server?

In affected versions of Nextcloud server, the generated fallback password for a share is created using a weak complexity random number generator, making it guessable to an attacker.

What is the severity of CVE-2023-28835?

The severity of CVE-2023-28835 is high, with a severity value of 7.5.

How can an attacker exploit CVE-2023-28835?

An attacker can exploit CVE-2023-28835 by brute forcing the guessable fallback password created for a share in affected versions of Nextcloud server.

How can I fix CVE-2023-28835?

To fix CVE-2023-28835, it is recommended to update Nextcloud server to a version that includes the fix for this vulnerability.

Vulnerability/
CVE-2023-28835

high

7.5

CWE

338

30/3/2023

11/2/2025

CVE-2023-28835: Insecure randomness for default password in nextcloud

First published: Thu Mar 30 2023(Updated: )

Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Nextcloud Nextcloud Server	>=23.0.0<23.0.14
Nextcloud Nextcloud Server	>=24.0.0<24.0.10
Nextcloud Nextcloud Server	>=24.0.0<24.0.10
Nextcloud Nextcloud Server	>=25.0.0<25.0.4
Nextcloud Nextcloud Server	>=25.0.0<25.0.4

Remedy

https://github.com/nextcloud/server/pull/36093

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-28835?
CVE-2023-28835 is a vulnerability in Nextcloud server that allows an attacker to guess the generated fallback password when creating a share.
How does CVE-2023-28835 affect Nextcloud server?
In affected versions of Nextcloud server, the generated fallback password for a share is created using a weak complexity random number generator, making it guessable to an attacker.
What is the severity of CVE-2023-28835?
The severity of CVE-2023-28835 is high, with a severity value of 7.5.
How can an attacker exploit CVE-2023-28835?
An attacker can exploit CVE-2023-28835 by brute forcing the guessable fallback password created for a share in affected versions of Nextcloud server.
How can I fix CVE-2023-28835?
To fix CVE-2023-28835, it is recommended to update Nextcloud server to a version that includes the fix for this vulnerability.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/severity
agent/remedy
agent/author
agent/last-modified-date
agent/first-publish-date
agent/event
agent/description
agent/tags
agent/source
vendor/nextcloud
canonical/nextcloud nextcloud server
version/nextcloud nextcloud server/23.0.0
version/nextcloud nextcloud server/24.0.0
version/nextcloud nextcloud server/25.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.