Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, dont create user accounts with long passwords.
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nextcloud_server | Nextcloud | 23.0.0 (including) | 23.0.11 (excluding) |
| Nextcloud_server | Nextcloud | 24.0.0 (including) | 24.0.7 (excluding) |
A product’s design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:
Depending on the threat model, the password policy may include several additional attributes.
See NIST 800-63B [REF-1053] for further information on password requirements.