4.3

CVE-2022-39339

EPSS 0.13%
Published 25.11.2022 19:15:11
Last modified 21.11.2024 07:18:04
Source security-advisories@github.com
Teams watchlist Login
Open Login

user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Nextcloud ≫ Openid Connect User Backend SwPlatformnextcloud Version < 1.2.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.334

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg

Patch

Third Party Advisory

https://github.com/nextcloud/user_oidc/pull/495

Patch

Third Party Advisory

https://hackerone.com/reports/1687005

Third Party Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2022-39339

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-39339

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-39339

EUVD