Lucene search

[email protected]NVD:CVE-2023-28848

HistoryApr 04, 2023 - 1:15 p.m.

CVE-2023-28848

2023-04-0413:15:08

CWE-352

[email protected]

web.nvd.nist.gov

nextcloud

user oidc

oidc connect

vulnerability

state protection

patch

upgrade

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

26.2%

JSON

user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available.

Affected configurations

Nvd

Node

nextclouduser_oidcRange1.0.0–1.3.0

VendorProductVersionCPE
nextclouduser_oidc*cpe:2.3:a:nextcloud:user_oidc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	user_oidc	*	cpe:2.3:a:nextcloud:user_oidc::::::::

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-52hv-xw32-wf7f

github.com/nextcloud/user_oidc/pull/580

hackerone.com/reports/1878381

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

26.2%

JSON

Related for NVD:CVE-2023-28848

hackerone1 cvelist1 prion1 cve1 nextcloud1 osv1