Lucene search

NextcloudGHSA-J4QM-5Q5X-54M5

HistoryAug 10, 2023 - 7:20 a.m.

Missing password confirmation when creating app passwords

2023-08-1007:20:25

github.com

nextcloud

security vulnerability

hackerone

app passwords

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

0.001 Low

EPSS

Percentile

19.9%

JSON

Description

Impact

A missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.9, 26.0.4 or 27.0.1
It is recommended that the Nextcloud Enterprise Server is upgraded to 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4 or 27.0.1

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at portal.nextcloud.com

CPENameOperatorVersion
serverlt25.0.0
serverlt26.0.0
serverlt27.0.0

Name	Operator	Version
server	lt	25.0.0
server	lt	26.0.0
server	lt	27.0.0

References

github.com/nextcloud/server/pull/39416

hackerone.com/reports/2067572

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

0.001 Low

EPSS

Percentile

19.9%

JSON

Related for GHSA-J4QM-5Q5X-54M5