CVE-2024-37312 — Improper Access Control in User Oidc

CWE-284 — Improper Access Control2 documents2 sources

Severity

6.3MEDIUMNVD

EPSS

0.5%

top 35.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud User Oidc Nextcloud Security-advisories

Timeline

PublishedJun 14

Description

user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

▶NVDnextcloud/user_oidc< 5.0.0

▶CVEListV5nextcloud/security-advisories1.3.6

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud user_oidc app's ID4me feature is available even when disabled↗2024-06-14

▶