CVE-2022-39339Cleartext Transmission of Sensitive Info in Security-advisories

CWE-319Cleartext Transmission of Sensitive Info2 documents2 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 56.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Openid Connect User Backend
Timeline
PublishedNov 25

Description

user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Cleartext Transmission of Sensitive Information in user_oidc2022-11-25
CVE-2022-39339 — Security-advisories vulnerability | cvebase