user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. user_oidc 1.3.3 contains a patch. No known workarounds are available.
References
Link | Resource |
---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f92-5c8p-f6gq | Patch Vendor Advisory |
https://github.com/nextcloud/user_oidc/pull/636 | Patch |
https://hackerone.com/reports/1994328 | Permissions Required |
Configurations
History
16 Aug 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:nextcloud:user_oidc:*:*:*:*:*:*:*:* | |
References | (MISC) https://github.com/nextcloud/user_oidc/pull/636 - Patch | |
References | (MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f92-5c8p-f6gq - Patch, Vendor Advisory | |
References | (MISC) https://hackerone.com/reports/1994328 - Permissions Required | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
First Time |
Nextcloud user Oidc
Nextcloud |
10 Aug 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-10 15:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-39954
Mitre link : CVE-2023-39954
CVE.ORG link : CVE-2023-39954
JSON object : View
Products Affected
nextcloud
- user_oidc
CWE
CWE-311
Missing Encryption of Sensitive Data