Lucene search

[email protected]CVE-2018-3761

HistoryJul 05, 2018 - 4:29 p.m.

CVE-2018-3761

2018-07-0516:29:00

CWE-287

[email protected]

web.nvd.nist.gov

nextcloud

server

oauth2

token

endpoint

authentication

vulnerability

cve-2018-3761

security

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.5%

JSON

Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised.

Affected configurations

NVD

Node

nextcloudnextcloud_serverRange<12.0.8

nextcloudnextcloud_serverRange13.0.0–13.0.3

CPENameOperatorVersion
nextcloud:nextcloud_servernextcloud nextcloud serverlt12.0.8
nextcloud:nextcloud_servernextcloud nextcloud serverlt13.0.3

CPE	Name	Operator	Version
nextcloud:nextcloud_server	nextcloud nextcloud server	lt	12.0.8
nextcloud:nextcloud_server	nextcloud nextcloud server	lt	13.0.3

CNA Affected

[
  {
    "product": "Nextcloud Server",
    "vendor": "Nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "<13.0.3, <12.0.8"
      }
    ]
  }
]