Lucene search

NextcloudGHSA-WPPC-F5G8-VX36

HistoryJan 18, 2024 - 8:39 a.m.

OAuth2 authorization codes are valid indefinetly

2024-01-1808:39:31

github.com

oauth2

authorization codes

expiration

nextcloud

upgrade

hackerone

pullrequest

security advisory

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

19.8%

JSON

Description

Impact

When an attacker would get access to an authorization code they could authenticate at any time using the code. Now they are invalidated after 10 minutes and will no longer be authenticated.

Patches

It is recommended that the Nextcloud Server is upgraded to 28.0.0
It is recommended that the Nextcloud Enterprise Server is upgraded to 28.0.0

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at portal.nextcloud.com

References

github.com/nextcloud/server/pull/40766

hackerone.com/reports/1784162

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

19.8%

JSON

Related for GHSA-WPPC-F5G8-VX36