CVE-2024-22212

EPSS 1.15%
Veröffentlicht 18.01.2024 19:15:10
Zuletzt bearbeitet 21.11.2024 08:55:48
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. There are no known workarounds for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Global Site Selector Version >= 1.1.0 < 1.4.1

Nextcloud ≫ Global Site Selector Version >= 2.0.0 < 2.1.2

Nextcloud ≫ Global Site Selector Version >= 2.2.0 < 2.3.4

Nextcloud ≫ Global Site Selector Version >= 2.4.0 < 2.4.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.15%	0.778

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/nextcloud/globalsiteselector/commit/ab5da57190d5bbc79079ce4109b6bcccccd893ee

Patch

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vj5q-f63m-wp77

Patch

Vendor Advisory

https://hackerone.com/reports/2248689

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-22212

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-22212

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-22212

EUVD