Nextcloud Server Security Update: Bypass of 2FA Possible in Certain Circumstances
CVE-2024-37313

7.3HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
14 June 2024

Badges

đź“° News Worthy

What is CVE-2024-37313?

The Nextcloud Server Security Update addresses a vulnerability, CVE-2024-37313, which allows attackers to bypass 2FA under certain circumstances. This vulnerability has a high severity rating and affects the Nextcloud Server, a self-hosted personal cloud system. While no known exploitations in the wild have been reported, it is recommended to upgrade to the latest versions to mitigate the risk. The potential impact of the vulnerability includes the circumvention of 2FA and extension of specific access rights, posing a threat to the security of data and systems.

Affected Version(s)

security-advisories >= 26.0.0, < 26.0.13 < 26.0.0, 26.0.13

security-advisories >= 27.0.0, < 27.1.8 < 27.0.0, 27.1.8

security-advisories >= 28.0.0, < 28.0.4 < 28.0.0, 28.0.4

News Articles

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/44276
x_refsource_MISC
https://hackerone.com/reports/2419776
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • đź“°

    First article discovered by Ress.at

  • Vulnerability published

  • Vulnerability Reserved

.