What is the severity of CVE-2023-49792?

CVE-2023-49792 has not been officially assigned a severity score but it affects multiple versions of Nextcloud Server.

How do I fix CVE-2023-49792?

To fix CVE-2023-49792, upgrade to Nextcloud Server versions 26.0.9, 27.1.4, or the corresponding versions for Nextcloud Enterprise Server.

Which versions of Nextcloud Server are affected by CVE-2023-49792?

CVE-2023-49792 affects Nextcloud Server versions prior to 26.0.9 and 27.1.4, along with several versions of Nextcloud Enterprise Server.

Is CVE-2023-49792 a remote code execution vulnerability?

The details of CVE-2023-49792 suggest it may involve security risks related to proxy configurations rather than direct remote code execution.

What should I do if I cannot upgrade my Nextcloud Server to a fixed version regarding CVE-2023-49792?

If upgrading is not possible, you should investigate additional security measures such as configuring reverse proxies securely or applying any available patches.

Vulnerability/
CVE-2023-49792

critical

9.8

CWE

307

22/12/2023

27/8/2024

CVE-2023-49792: Bruteforce protection can be bypassed with misconfigured proxy

First published: Fri Dec 22 2023(Updated: )

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Nextcloud Server	>=23.0.0<23.0.12.13
Nextcloud Server	>=24.0.0<24.0.12.9
Nextcloud Server	>=25.0.0<25.0.13.4
Nextcloud Server	>=26.0.0<26.0.9
Nextcloud Server	>=26.0.0<26.0.9
Nextcloud Server	>=27.0.0<27.1.4
Nextcloud Server	>=27.0.0<27.1.4

Remedy

https://github.com/nextcloud/server/pull/41526

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-49792?
CVE-2023-49792 has not been officially assigned a severity score but it affects multiple versions of Nextcloud Server.
How do I fix CVE-2023-49792?
To fix CVE-2023-49792, upgrade to Nextcloud Server versions 26.0.9, 27.1.4, or the corresponding versions for Nextcloud Enterprise Server.
Which versions of Nextcloud Server are affected by CVE-2023-49792?
CVE-2023-49792 affects Nextcloud Server versions prior to 26.0.9 and 27.1.4, along with several versions of Nextcloud Enterprise Server.
Is CVE-2023-49792 a remote code execution vulnerability?
The details of CVE-2023-49792 suggest it may involve security risks related to proxy configurations rather than direct remote code execution.
What should I do if I cannot upgrade my Nextcloud Server to a fixed version regarding CVE-2023-49792?
If upgrading is not possible, you should investigate additional security measures such as configuring reverse proxies securely or applying any available patches.

agent/type
agent/event
agent/softwarecombine
agent/first-publish-date
agent/remedy
agent/severity
agent/author
agent/title
agent/weakness
agent/references
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/nextcloud
canonical/nextcloud server
version/nextcloud server/23.0.0
version/nextcloud server/24.0.0
version/nextcloud server/25.0.0
version/nextcloud server/26.0.0
version/nextcloud server/27.0.0