Lucene search

NextcloudGHSA-VW7G-959G-VJ6Q

HistoryJun 14, 2024 - 2:25 p.m.

ID4me feature of OpenID connect app available even when disabled

2024-06-1414:25:49

github.com

access control

openid connect

nextcloud .documents

hackerone

security advisories

6.3 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Description

Impact

Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users.

Patches

It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28)

Workarounds

Disable app user_oidc

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at portal.nextcloud.com

CPENameOperatorVersion
user oidcge<=
user oidcle1.3.6

CPE	Name	Operator	Version
	user oidc	ge	<=
	user oidc	le	1.3.6

References

github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2

hackerone.com/reports/2376929

6.3 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for GHSA-VW7G-959G-VJ6Q