CVE-2024-37886 — Improper Verification of Cryptographic Signature in Security-advisories

CWE-347 — Improper Verification of Cryptographic Signature2 documents2 sources

Severity

4.7MEDIUMNVD

CNA5.4

EPSS

0.6%

top 30.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud User Oidc

Timeline

PublishedJun 14

Description

user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/user_oidc< 1.3.5

▶CVEListV5nextcloud/security-advisories< 1.3.5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud user_oidc's ID4me does not validate signature or expiration↗2024-06-14

▶