OAuth2 Client Secret Vulnerability in Nextcloud Server
CVE-2024-52519

8.2HIGH

Key Information:

Vendor: Nextcloud
Status: Nextcloud Server
Vendor: CVE Published:; 15 November 2024

What is CVE-2024-52519?

Nextcloud Server is a self-hosted cloud solution that has a vulnerability related to the inadequate protection of OAuth2 client secrets. The secrets were stored in a manner that made them retrievable, which poses a risk if an unauthorized actor gains access to affected database backups and configuration files. To mitigate this risk, it is essential for users to upgrade to the latest secure versions: Nextcloud Server 28.0.10 or 29.0.7, and Nextcloud Enterprise Server to 27.1.11.8, 28.0.10, or 29.0.7. Security best practices must be followed to ensure the integrity of sensitive information.

References

https://github.com/nextcloud/security-advisories/security...

https://github.com/nextcloud/server/pull/47635

https://github.com/nextcloud/server/commit/09b8aea8f67835...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024