Lucene search

[email protected]NVD:CVE-2024-37886

HistoryJun 14, 2024 - 4:15 p.m.

CVE-2024-37886

2024-06-1416:15:13

CWE-347

[email protected]

web.nvd.nist.gov

nextcloud

user_oidc

openid connect

security update

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

15.6%

JSON

user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0.

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-vw5h-29xf-g55g

github.com/nextcloud/user_oidc/pull/715

hackerone.com/reports/1878391