CVE-2023-45148: Rate limiter not working reliable when Memcached is installed in Nextcloud
First published: Mon Oct 16 2023(Updated: )
Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distributed` to `\OC\Memcache\Redis` and install Redis instead of Memcached.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Server | >=22.0.0<22.2.10.16 | |
| Nextcloud Nextcloud Server | >=23.0.0<23.0.12.11 | |
| Nextcloud Nextcloud Server | >=24.0.0<24.0.12.7 | |
| Nextcloud Nextcloud Server | >=25.0.0<25.0.11 | |
| Nextcloud Nextcloud Server | >=25.0.0<25.0.11 | |
| Nextcloud Nextcloud Server | >=26.0.0<26.0.6 | |
| Nextcloud Nextcloud Server | >=26.0.0<26.0.6 | |
| Nextcloud Nextcloud Server | =27.0.0 | |
| Nextcloud Nextcloud Server | =27.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this Nextcloud vulnerability?
The vulnerability ID of this Nextcloud vulnerability is CVE-2023-45148.
What is the severity level of CVE-2023-45148?
CVE-2023-45148 has a severity level of medium.
How does the vulnerability in Nextcloud Server occur?
The vulnerability in Nextcloud Server occurs when Memcached is used as `memcache.distributed`, causing the rate limiting to be reset unexpectedly.
Which versions of Nextcloud Server are affected by CVE-2023-45148?
Versions 22.0.0 to 22.2.10.16, 23.0.0 to 23.0.12.11, 24.0.0 to 24.0.12.7, and 25.0.0 to 25.0.11 of Nextcloud Server are affected by CVE-2023-45148.
How can I mitigate the vulnerability in Nextcloud Server?
To mitigate the vulnerability in Nextcloud Server, users are advised to upgrade to versions 25.0.11, 26.0.6, or 27.1.0.
- collector/nvd-api
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/references
- agent/last-modified-date
- agent/title
- agent/weakness
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/nextcloud
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/22.0.0
- version/nextcloud nextcloud server/23.0.0
- version/nextcloud nextcloud server/24.0.0
- version/nextcloud nextcloud server/25.0.0
- version/nextcloud nextcloud server/26.0.0
- version/nextcloud nextcloud server/27.0.0