CVE-2017-0887
05.04.2017, 20:59
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not properly sanitizing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.Enginsight
| Vendor | Product | Version |
|---|---|---|
| nextcloud | nextcloud_server | 𝑥 < 9.0.55 |
| nextcloud | nextcloud_server | 10.0.0 ≤ 𝑥 < 10.0.2 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-807 - Reliance on Untrusted Inputs in a Security DecisionThe application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.