4.4

CVE-2023-48305

Exploit

EPSS 0.2%
Veröffentlicht 21.11.2023 23:15:07
Zuletzt bearbeitet 21.11.2024 08:31:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server user_ldap app logs user passwords in the log file on level debug

user_ldap app logs user passwords in the log file on level debug

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, when the log level was set to debug, the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.11, 26.0.6, and 27.1.0 contain a patch for this issue. As a workaround, change config setting `loglevel` to `1` or higher (should always be higher than 1 in production environments).

Mögliche Gegenmaßnahme

Server: * Change config setting `loglevel` to `1` or higher (should always be higher than 1 in production environments).

Enterprise Server: * Change config setting `loglevel` to `1` or higher (should always be higher than 1 in production environments).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 6 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 25.0.0 < 25.0.11

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.11

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 26.0.0 < 26.0.6

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.6

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 27.0.0 < 27.1.0

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 27.0.0 < 27.1.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 25.0.0, < 25.0.11

Version >= 26.0.0, < 26.0.6

Version >= 27.0.0, < 27.1.0

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 25.0.0, < 25.0.11

Version >= 26.0.0, < 26.0.6

Version >= 27.0.0, < 27.1.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.42

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.4	0.8	3.6	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	4.2	1.1	2.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE-312 Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr

Vendor Advisory

https://github.com/nextcloud/server/issues/38461

Exploit

Issue Tracking

https://github.com/nextcloud/server/pull/40013

Patch

Issue Tracking

https://hackerone.com/reports/2101165

Third Party Advisory

Exploit

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-48305

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-48305

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-48305

EUVD