CVE-2024-22212Missing Authentication for Critical Function in Global Site Selector

CWE-306Missing Authentication for Critical Function2 documents2 sources
Severity
9.8CRITICALNVD
CNA9.6
EPSS
1.2%
top 21.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Global Site SelectorNextcloud Security-advisories
Timeline
PublishedJan 18

Description

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDnextcloud/global_site_selector1.1.01.4.1+3
CVEListV5nextcloud/security-advisories4 versions+3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud global site selector authentication bypass2024-01-18
CVE-2024-22212 — Global Site Selector vulnerability | cvebase