{"id":"CVE-2022-39330","summary":"Database resource exhaustion for logged-in users via sharee recommendations with circles","details":"Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server versions 22.2.10, 23.0.10, and 24.0.6 contain patches for this issue. As a workaround, disable the Circles app.","aliases":["GHSA-wxx7-w5p4-7x4c"],"modified":"2026-04-10T04:50:22.776696Z","published":"2022-10-27T00:00:00Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39330.json","cwe_ids":["CWE-400"]},"references":[{"type":"WEB","url":"https://hackerone.com/reports/1688199"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39330.json"},{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wxx7-w5p4-7x4c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39330"},{"type":"FIX","url":"https://github.com/nextcloud/circles/pull/1147"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/circles","events":[{"introduced":"f7a9e85a57112e98c201ebacf0b71e1bb6ded2a4"},{"fixed":"ed5866a670c98f3ac510d39820785ace9e9cbf1e"}],"database_specific":{"versions":[{"introduced":"23.0.0"},{"fixed":"23.0.9"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/circles","events":[{"introduced":"bfefc853900df81436cec7d42177785e196f4773"},{"fixed":"1f7cab38c7aa76d1354a0b7057c8d37c50ccd050"}],"database_specific":{"versions":[{"introduced":"24.0.0"},{"fixed":"24.0.5"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/circles","events":[{"introduced":"0"},{"fixed":"2cf23f1a330ca69407f6ae5757593da511dc5b80"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"22.2.10"}]}}],"versions":["0.14.1","22.0.0","22.0.0-beta.4","22.0.0-rc1","22.1.0","v0.10.0","v0.12.1","v0.12.2","v0.12.3","v0.12.4","v0.13.0","v0.13.1","v0.13.2","v0.13.3","v0.13.4","v0.13.5","v0.13.6","v0.14.0","v0.14.2","v0.15.0","v0.15.1","v0.16.0","v0.16.1","v0.17.0","v0.17.1","v0.17.10","v0.17.2","v0.17.3","v0.17.4","v0.17.5","v0.17.6","v0.17.7","v0.17.8","v0.17.9","v0.18.0","v0.18.1","v0.18.2","v0.18.3","v0.19.0","v0.19.1","v0.19.2","v0.19.3","v0.19.4","v0.19.5","v0.20.0","v0.20.1","v0.20.2","v0.20.4","v0.20.5","v0.20.6","v0.9.4","v0.9.5","v0.9.6","v22.0.0","v22.0.0-alpha.2","v22.0.0-alpha.3","v22.0.0-alpha.4","v22.0.0-alpha.6","v22.0.0-alpha.9","v22.0.0-beta.1","v22.0.0-beta.5","v22.0.0beta3","v22.0.0rc1","v22.0.0rc2","v22.1.0","v22.1.0rc1","v22.1.1","v22.1.1rc1","v22.1.1rc2","v22.2.0","v22.2.0rc2","v22.2.1","v22.2.10rc1","v22.2.10rc2","v22.2.1rc1","v22.2.2","v22.2.3","v22.2.4","v22.2.4rc1","v22.2.4rc2","v22.2.4rc3","v22.2.5","v22.2.5rc1","v22.2.6","v22.2.6rc1","v22.2.6rc2","v22.2.7","v22.2.7rc1","v22.2.8","v22.2.8rc1","v22.2.9","v22.2.9rc1","v23.0.0","v23.0.0rc3","v23.0.1","v23.0.1rc1","v23.0.1rc2","v23.0.1rc3","v23.0.2","v23.0.2rc1","v23.0.3","v23.0.3rc1","v23.0.3rc2","v23.0.4","v23.0.4rc1","v23.0.5","v23.0.5rc1","v23.0.6","v23.0.6rc1","v23.0.7","v23.0.7rc1","v23.0.7rc2","v23.0.8","v23.0.8rc1","v23.0.9rc1","v24.0.0","v24.0.0rc2","v24.0.0rc3","v24.0.1","v24.0.1rc1","v24.0.2","v24.0.2rc1","v24.0.3","v24.0.3rc1","v24.0.3rc2","v24.0.4","v24.0.4rc1","v24.0.5rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39330.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H"}]}