CVE-2022-35931

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-35931

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35931.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-35931

Aliases

GHSA-c7mw-9q4r-8qwr

Downstream

openSUSE-SU-2023:0083-1

Related

openSUSE-SU-2023:0083-1

Published

2022-09-06T18:10:09Z

Modified

2026-04-10T04:49:33.253548Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Nextcloud Password Policy's generated passwords are not fully validated by HIBPValidator

Details

Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch for the issue in Password Policy. There are no known workarounds available.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-261"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35931.json"
}

References

Affected packages

Git / github.com/nextcloud/password_policy

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/password_policy

Events

Introduced

00b9ab1b33883a1b8949387ce3537ddf8d674dbc

Fixed

39fd4946ed6486f16c8c15f9b83f6d12e64c3ee5

Database specific

{
    "versions": [
        {
            "introduced": "24.0.0"
        },
        {
            "fixed": "24.0.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/password_policy

Events

Introduced

Fixed

08a98af639d52f94a66cfda19c4c1f6c6582a85f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "22.2.10"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/password_policy

Events

Introduced

1a76cdcd0367e7a3061b2dfaf776170561cafc6e

Fixed

a3f727557a5b4bee4b983d9fdbf9bff62e159bdc

Database specific

{
    "versions": [
        {
            "introduced": "23.0.0"
        },
        {
            "fixed": "23.0.7"
        }
    ]
}

Affected versions

22.*

22.1.0

v11.*

v11.0.0

v11.0RC2

v12.*

v12.0.0

v12.0.0RC1

v12.0.0RC2

v12.0.0RC3

v12.0.0beta1

v12.0.0beta2

v12.0.0beta3

v12.0.0beta4

v13.*

v13.0.0RC1

v13.0.0beta1

v13.0.0beta2

v13.0.0beta3

v13.0.0beta4

v14.*

v14.0.0RC1

v14.0.0RC2

v14.0.0beta1

v14.0.0beta2

v14.0.0beta3

v14.0.0beta4

v15.*

v15.0.0RC1

v15.0.0beta1

v15.0.0beta2

v16.*

v16.0.0RC1

v16.0.0alpha1

v16.0.0beta1

v16.0.0beta2

v16.0.0beta3

v17.*

v17.0.0beta1

v17.0.0beta2

v17.0.0beta4

v18.*

v18.0.0

v18.0.0RC1

v18.0.0RC2

v18.0.0beta1

v18.0.0beta2

v18.0.0beta3

v18.0.0beta4

v19.*

v19.0.0RC1

v19.0.0RC2

v19.0.0beta1

v19.0.0beta2

v19.0.0beta3

v19.0.0beta4

v19.0.0beta5

v19.0.0beta6

v19.0.0beta7

v20.*

v20.0.0RC1

v20.0.0beta1

v20.0.0beta2

v20.0.0beta3

v20.0.0beta4

v21.*

v21.0.0RC1

v21.0.0beta1

v21.0.0beta2

v21.0.0beta3

v21.0.0beta4

v21.0.0beta5

v21.0.0beta6

v21.0.0beta7

v21.0.0beta8

v22.*

v22.0.0

v22.0.0beta1

v22.0.0beta2

v22.0.0beta3

v22.0.0beta4

v22.0.0beta5

v22.0.0rc1

v22.0.0rc2

v22.1.0

v22.1.0rc1

v22.1.1

v22.1.1rc1

v22.1.1rc2

v22.2.0

v22.2.0rc2

v22.2.1

v22.2.1rc1

v22.2.2

v22.2.3

v22.2.4

v22.2.4rc1

v22.2.4rc2

v22.2.4rc3

v22.2.5

v22.2.5rc1

v22.2.6

v22.2.6rc1

v22.2.6rc2

v22.2.7

v22.2.7rc1

v22.2.8

v22.2.8rc1

v22.2.9

v22.2.9rc1

v23.*

v23.0.0

v23.0.0rc1

v23.0.0rc2

v23.0.0rc3

v23.0.1

v23.0.1rc1

v23.0.1rc2

v23.0.1rc3

v23.0.2

v23.0.2rc1

v23.0.3

v23.0.3rc1

v23.0.3rc2

v23.0.4

v23.0.4rc1

v23.0.5

v23.0.5rc1

v23.0.6

v23.0.6rc1

v24.*

v24.0.0

v24.0.0rc2

v24.0.0rc3

v24.0.1

v24.0.1rc1

v24.0.2

v24.0.2rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35931.json"