CVE-2020-8296
6.7
Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 0.8 / Impact: 5.9
Source: NVD
Description
Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.
Affected (2)
Products: Nextcloud: Nextcloud Server · Fedoraproject: Fedora
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 20.0.0 |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Version 34 |
Related CWEs
CWE-257
Storing Passwords in a Recoverable Format
The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
CWE-521
Weak Password Requirements
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
References (10)
Source: support@hackerone.com
ExploitThird Party Advisory
Source: support@hackerone.com
PatchThird Party Advisory
Source: support@hackerone.com
ExploitIssue TrackingThird Party Advisory
Source: support@hackerone.com
Source: support@hackerone.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitIssue TrackingThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.