CVE-2024-52525

CWE-312 — Cleartext Storage of Sensitive Info2 documents2 sources

Severity

7.5HIGH

EPSS

0.7%

top 27.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Nextcloud Server Nextcloud Security-advisories

Timeline

PublishedNov 15

Description

Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the cleartext password of the user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:NExploitability: 0.2 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server28.0.0 — 28.0.12+2

▶CVEListV5nextcloud/security-advisories>= 28.0.0, < 28.0.12, >= 29.0.0, < 29.0.9, >= 30.0.0, < 30.0.2+2

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Server User password is available in memory of the PHP process↗2024-11-15

▶