Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-28835

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-30 Mar, 2023 | 18:57
Updated At-11 Feb, 2025 | 18:50
Rejected At-
Credits

Insecure randomness for default password in nextcloud

Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:30 Mar, 2023 | 18:57
Updated At:11 Feb, 2025 | 18:50
Rejected At:
▼CVE Numbering Authority (CNA)
Insecure randomness for default password in nextcloud

Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade.

Affected Products
Vendor
Nextcloud GmbHnextcloud
Product
security-advisories
Versions
Affected
  • < 24.0.10
  • >= 25.0.0, < 25.0.4
Problem Types
TypeCWE IDDescription
CWECWE-338CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Type: CWE
CWE ID: CWE-338
Description: CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Metrics
VersionBase scoreBase severityVector
3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/36093
x_refsource_MISC
Hyperlink: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/nextcloud/server/pull/36093
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9
x_refsource_CONFIRM
x_transferred
https://github.com/nextcloud/server/pull/36093
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/nextcloud/server/pull/36093
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:30 Mar, 2023 | 19:15
Updated At:07 Apr, 2023 | 15:02

Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Secondary3.13.5LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 3.5
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CPE Matches
Nextcloud GmbH
nextcloud
>>nextcloud_server>>Versions from 23.0.0(inclusive) to 23.0.14(exclusive)
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
Nextcloud GmbH
nextcloud
>>nextcloud_server>>Versions from 24.0.0(inclusive) to 24.0.10(exclusive)
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
Nextcloud GmbH
nextcloud
>>nextcloud_server>>Versions from 24.0.0(inclusive) to 24.0.10(exclusive)
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
Nextcloud GmbH
nextcloud
>>nextcloud_server>>Versions from 25.0.0(inclusive) to 25.0.4(exclusive)
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
Nextcloud GmbH
nextcloud
>>nextcloud_server>>Versions from 25.0.0(inclusive) to 25.0.4(exclusive)
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
Weaknesses
CWE IDTypeSource
CWE-338Primarysecurity-advisories@github.com
CWE ID: CWE-338
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9security-advisories@github.com
Vendor Advisory
https://github.com/nextcloud/server/pull/36093security-advisories@github.com
Issue Tracking
Patch
Hyperlink: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://github.com/nextcloud/server/pull/36093
Source: security-advisories@github.com
Resource:
Issue Tracking
Patch

Change History

0
Information is not available yet

Similar CVEs

54Records found
CVE-2020-28924
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.26% / 48.86%
||
7 Day CHG~0.00%
Published-19 Nov, 2020 | 19:32
Updated-04 Aug, 2024 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed.

Action-Not Available
Vendor-rclonen/aFedora Project
Product-fedorarclonen/a
CWE ID-CWE-331
Insufficient Entropy
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE-2022-40769
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.38% / 79.47%
||
7 Day CHG~0.00%
Published-18 Sep, 2022 | 16:01
Updated-03 Aug, 2024 | 12:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022.

Action-Not Available
Vendor-profanity_projectn/a
Product-profanityn/a
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE-2008-0166
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-5.54% / 89.89%
||
7 Day CHG~0.00%
Published-13 May, 2008 | 17:00
Updated-07 Aug, 2024 | 07:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

Action-Not Available
Vendor-n/aCanonical Ltd.Debian GNU/LinuxOpenSSL
Product-ubuntu_linuxdebian_linuxopenssln/a
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVE-2024-34538
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.09% / 26.52%
||
7 Day CHG~0.00%
Published-06 May, 2024 | 00:00
Updated-02 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Mateso PasswordSafe through 8.13.9.26689 has Weak Cryptography.

Action-Not Available
Vendor-n/amateso
Product-n/apasswordsafe
CWE ID-CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • Previous
  • 1
  • 2
  • Next
Details not found