Nextcloud user_oidc app is missing brute force protection
CVE-2023-32074

8HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
25 May 2023

What is CVE-2023-32074?

The user_oidc app for Nextcloud, designed for OpenID Connect authentication, is susceptible to an authentication bypass vulnerability. Attackers could exploit this flaw to gain unauthorized access to user accounts. It is imperative for organizations using this app to update to version 1.3.2 or higher to mitigate potential security risks. Additional details and remediation steps can be found in the official security advisory published by Nextcloud.

Affected Version(s)

security-advisories < 1.3.2

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/user_oidc/pull/615
x_refsource_MISC
https://hackerone.com/reports/1954711
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.