CVE-2022-39339

Published: Nov 25, 2022Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).

Affected (1)

Products: Nextcloud: Openid Connect User Backend

1 product

Openid Connect User Backend

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Openid Connect User Backend	Before 1.2.1

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (6)

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/nextcloud/user_oidc/pull/495

Source: security-advisories@github.com

PatchThird Party Advisory

https://hackerone.com/reports/1687005

Source: security-advisories@github.com

Permissions RequiredThird Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/nextcloud/user_oidc/pull/495

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://hackerone.com/reports/1687005

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

Timeline

No history available yet.