Lucene search

GitHub_MCVELIST:CVE-2024-37886

HistoryJun 14, 2024 - 3:45 p.m.

CVE-2024-37886 Nextcloud user_oidc's ID4me does not validate signature or expiration

2024-06-1415:45:12

CWE-347

GitHub_M

www.cve.org

nextcloud

user_oidc

openid connect

signature validation

expiration validation

upgrade

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

15.6%

JSON

user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": "< 1.3.5",
        "status": "affected"
      }
    ]
  }
]

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-vw5h-29xf-g55g

github.com/nextcloud/user_oidc/pull/715

hackerone.com/reports/1878391