user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also have access to. user_oidc 1.3.3 contains a patch. No known workarounds are available.
References
Link | Resource |
---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xx3h-v363-q36j | Patch Vendor Advisory |
https://github.com/nextcloud/user_oidc/pull/642 | Patch |
https://hackerone.com/reports/2021684 | Permissions Required |
Configurations
History
16 Aug 2023, 19:10
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
CPE | cpe:2.3:a:nextcloud:user_oidc:*:*:*:*:*:*:*:* | |
First Time |
Nextcloud user Oidc
Nextcloud |
|
References | (MISC) https://github.com/nextcloud/user_oidc/pull/642 - Patch | |
References | (MISC) https://hackerone.com/reports/2021684 - Permissions Required | |
References | (MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xx3h-v363-q36j - Patch, Vendor Advisory |
10 Aug 2023, 14:46
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-10 14:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-39953
Mitre link : CVE-2023-39953
CVE.ORG link : CVE-2023-39953
JSON object : View
Products Affected
nextcloud
- user_oidc
CWE
CWE-303
Incorrect Implementation of Authentication Algorithm