Lucene search
Alacn1H1:867164HistoryMay 06, 2020 - 1:13 p.m.
Nextcloud: External storage app saves password for all users in the database
2020-05-0613:13:40
alacn1
hackerone.com
32
EPSS
0.001
Percentile
40.5%
External storage (files_external) app save passwords of all users to database table “oc_credentials” even when “Log-in credentials, save in database” option is not used.
It’s a security risk that allow password extraction of all users.
A local system admin that has access to database and nextcloud config file could decrypt any user password.
Steps to reproduce
- Enable app “External storage support” (files_external).
- Login to nextcloud.
- User recoverable password will be saved to table “oc_credentials” at “password::logincredentials/credentials”.
Expected behaviour
Don’t save user password to table “oc_credentials” unless user has a mount with “Log-in credentials, save in database” option.
Actual behaviour
Passwords of all users is saved to table “oc_credentials” when files_external app is enabled.
Tested with
Nextcloud 18.0.4 + External storage 1.9.0
Nextcloud 17.0.5 + External storage 1.8.0
Impact
A local system admin could recover any user password.
Related
cvelist
cvelist
CVE-2020-8296
2021-03-03 17:40:33
redhatcve
redhatcve
CVE-2020-8296
2022-05-20 22:28:28
osv
osv
CVE-2020-8296
2021-03-03 18:15:13
nvd
nvd
CVE-2020-8296
2021-03-03 18:15:13
prion
prion
Format string
2021-03-03 18:15:00
nextcloud
nextcloud
cve
cve
CVE-2020-8296
2021-03-03 18:15:13
openvas
openvas
fedora
fedora
[SECURITY] Fedora 34 Update: nextcloud-20.0.10-1.fc34
2021-07-09 01:03:33