Nextcloud global site selector authentication bypass
CVE-2024-22212

9.7CRITICAL

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
18 January 2024

What is CVE-2024-22212?

The Nextcloud Global Site Selector presents a serious vulnerability involving an authentication bypass due to a flaw in the password verification method. This vulnerability allows an unauthorized attacker to authenticate as any other user, potentially leading to unauthorized access to sensitive information and user accounts. To mitigate this security risk, it is essential to upgrade to the following secure versions: 1.4.1, 2.1.2, 2.3.4, or 2.4.5. Currently, there are no known workarounds for this issue, highlighting the urgency of applying the necessary updates.

Affected Version(s)

security-advisories >= 1.1.0, < 1.4.1 < 1.1.0, 1.4.1

security-advisories >= 2.0.0, < 2.1.2 < 2.0.0, 2.1.2

security-advisories >= 2.2.0, < 2.3.4 < 2.2.0, 2.3.4

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/globalsiteselector/commit/ab...
x_refsource_MISC
https://hackerone.com/reports/2248689
x_refsource_MISC

CVSS V3.1

Score:
9.7
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.