CVE-2020-8296

Exploit

EPSS 0.25%
Published 03.03.2021 18:15:13
Last modified 21.11.2024 05:38:40
Source support@hackerone.com
Teams watchlist Login
Open Login

Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.

Affected products Warnungen 0 Metrics 3 CWE 2 References 8

Data is provided by the National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server Version < 20.0.0

Fedoraproject ≫ Fedora Version34

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.25%	0.478

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.7	0.8	5.9	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	4.6	3.9	6.4	AV:L/AC:L/Au:N/C:P/I:P/A:P

CWE-257 Storing Passwords in a Recoverable Format

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

CWE-521 Weak Password Requirements

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

https://github.com/nextcloud/server/issues/17439

Third Party Advisory

Exploit

https://github.com/nextcloud/server/pull/21037

Patch

Third Party Advisory

https://hackerone.com/reports/867164

Third Party Advisory

Exploit

Issue Tracking