8.8

CVE-2023-45151

EPSS 0.69%
Veröffentlicht 16.10.2023 19:15:10
Zuletzt bearbeitet 21.11.2024 08:26:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OAuth2 client_secret stored in plain text in the Nextcloud database

OAuth2 client_secret stored in plain text in the database

Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 6 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 25.0.0 < 25.0.8

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.8

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 26.0.0 < 26.0.3

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.3

Nextcloud ≫ Nextcloud Server Version27.0.0 SwEdition-

Nextcloud ≫ Nextcloud Server Version27.0.0 SwEditionenterprise

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 25.0.0, < 25.0.8

Version >= 26.0.0, < 26.0.3

Version >= 27.0.0, < 27.0.1

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 25.0.0, < 25.0.8

Version >= 26.0.0, < 26.0.3

Version >= 27.0.0, < 27.0.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.69%	0.719

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6.5	1.2	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9

Vendor Advisory

https://github.com/nextcloud/server/pull/38398

Patch

Issue Tracking

https://hackerone.com/reports/1994324

Permissions Required

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-45151

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-45151

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-45151

EUVD