DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2022-39339", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-39339", "description": "user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).", "published": "2022-11-25T19:15:00", "modified": "2022-12-01T20:43:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39339", "reporter": "security-advisories@github.com", "references": ["https://hackerone.com/reports/1687005", "https://github.com/nextcloud/user_oidc/pull/495", "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg"], "cvelist": ["CVE-2022-39339"], "immutableFields": [], "lastseen": "2022-12-01T21:11:14", "viewCount": 19, "enchantments": {"dependencies": {"references": [{"type": "nextcloud", "idList": ["GHSA-2VFF-CQ8H-CHHG"]}]}, "score": {"value": 0.4, "vector": "NONE"}, "twitter": {"counter": 6, "tweets": [{"link": "https://twitter.com/CVEnew/status/1596228530026709002", "text": "CVE-2022-39339 user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access t... https://t.co/r79e2hdMRx", "author": "CVEnew", "author_photo": "https://pbs.twimg.com/profile_images/1447927972393111557/PQRMlVvZ_400x400.jpg"}, {"link": "https://twitter.com/vulnonym/status/1596291196846223363", "text": "Hi, I'm CVE-2022-39339. I was never good with numbers though, so you can call me Purplish Pangolin\nhttps://t.co/pTqPHgwIHr", "author": "vulnonym", "author_photo": "https://pbs.twimg.com/profile_images/1235605772878438405/6p9IJVtn_400x400.jpg"}, {"link": "https://twitter.com/VulmonFeeds/status/1596269699666530305", "text": "CVE-2022-39339\n\nuser_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS....\n\nhttps://t.co/1fFAkWMGRg", "author": "VulmonFeeds", "author_photo": "https://pbs.twimg.com/profile_images/945758793161498625/67b3PEYK_400x400.jpg"}, {"link": "https://twitter.com/WolfgangSesin/status/1596398944791175173", "text": "New post from https://t.co/uXvPWJy6tj (CVE-2022-39339 | user_oidc up to 1.2.0 cleartext transmission (GHSA-2vff-cq8h-chhg)) has been published on https://t.co/WTwbvSRnpL", "author": "WolfgangSesin", "author_photo": "https://pbs.twimg.com/profile_images/957011635369054208/Om3jbj7z_400x400.jpg"}, {"link": "https://twitter.com/www_sesin_at/status/1596398947278458880", "text": "New post from https://t.co/9KYxtdZjkl (CVE-2022-39339 | user_oidc up to 1.2.0 cleartext transmission (GHSA-2vff-cq8h-chhg)) has been published on https://t.co/CbzVtCvFny", "author": "www_sesin_at", "author_photo": "https://pbs.twimg.com/profile_images/958100963822329858/fb_N8h5n_400x400.jpg"}]}, "affected_software": {"major_version": [{"name": "nextcloud openid connect user backend", "version": 1}]}, "vulnersScore": 0.4}, "_state": {"dependencies": 1670066695, "score": 1670066695, "twitter": 0, "affected_software_major_version": 1671611801}, "_internal": {"score_hash": "cf5e03b645366e8396a79e4137adb8de"}, "cna_cvss": {"cna": "GitHub, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "score": 4.3}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-319"], "affectedSoftware": [{"cpeName": "nextcloud:openid_connect_user_backend", "version": "1.2.1", "operator": "lt", "name": "nextcloud openid connect user backend"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:nextcloud:openid_connect_user_backend:1.2.1:*:*:*:*:nextcloud:*:*", "versionEndExcluding": "1.2.1", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://hackerone.com/reports/1687005", "name": "https://hackerone.com/reports/1687005", "refsource": "MISC", "tags": ["Permissions Required", "Third Party Advisory"]}, {"url": "https://github.com/nextcloud/user_oidc/pull/495", "name": "https://github.com/nextcloud/user_oidc/pull/495", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg", "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg", "refsource": "CONFIRM", "tags": ["Patch", "Third Party Advisory"]}]}

{"nextcloud": [{"lastseen": "2022-12-01T22:09:33", "description": "## Description\n\n### Impact\n\nSensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS.\n\n### Patches\n\nPatched in user_oidc v1.2.1\n\n### Workarounds\n\nUse https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).\n\n### References\n\n[nextcloud/user_oidc#495](<https://github.com/nextcloud/user_oidc/pull/495>) \n<https://hackerone.com/reports/1687005>\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n * Create a post in [nextcloud/security-advisories](<https://github.com/nextcloud/security-advisories/discussions>)\n * Customers: Open a support ticket at [support.nextcloud.com](<https://support.nextcloud.com>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-11-25T11:27:11", "type": "nextcloud", "title": "Cleartext Transmission of Sensitive Information in user_oidc", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-39339"], "modified": "2022-11-25T11:27:11", "id": "GHSA-2VFF-CQ8H-CHHG", "href": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2023-02-03T02:24:10", "bounty": 0.0, "description": "The [OpenID Connect User Backend](https://github.com/nextcloud/user_oidc/) allows users to login to Nextcloud using SSO and is - according to [the policy](https://hackerone.com/nextcloud?type=team) - part of the main scope of this program. The implementation supports plain HTTP without TLS and transfers sensitive information such as OIDC **client_secrets** in an unencrypted manner.\n\n[According to the OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements), \"*to protect against information disclosure and tampering, confidentiality protection MUST be applied using TLS with a ciphersuite that provides confidentiality and integrity protection*\".\n\nI did not find anything related to this within your threat model (which is unavailable at the moment btw. - therefore I am referring to this snapshot: https://web.archive.org/web/20220320042405/https://nextcloud.com/security/threat-model).\n\n## Steps to reproduce\n0. Setup Nextcloud using the docker image:\n```console\ndocker run -p 8081:80 nextcloud:latest\n```\n1. Enable `user_oidc` module via http://localhost:8081/settings/apps/integration/user_oidc\n2. Configure plugin via http://localhost:8081/settings/admin/user_oidc - add a provider with arbitrary identifier, client_id and client_secret. Include a burp collaborator URL with `http://` scheme: \n{F1894137}\n3. In a private window, visit http://localhost:8081/login an click the login button \"test\".\n4. Observe incoming request using plain HTTP: \n{F1894136}\n\nIn a working SSO setup, sensitive information such as the client_secret is sent in plain text by Nextcloud, as can be seen in the following screenshot (Token Request issued by Nextcloud): \n{F1894138}\n\n## Fix\nThe `user_oidc` should enforce HTTPS in its default configuration.\n\n## Impact\n\nSensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-08-31T12:01:57", "type": "hackerone", "title": "Nextcloud: [user_oidc] Unencrypted Communications", "bulletinFamily": "bugbounty", "cvss2": {}, "cvelist": ["CVE-2022-39339"], "modified": "2022-12-18T11:29:27", "id": "H1:1687005", "href": "https://hackerone.com/reports/1687005", "cvss": {"score": 0.0, "vector": "NONE"}}]}