CVE-2024-22212

EPSS 1.15%
Published 18.01.2024 19:15:10
Last modified 21.11.2024 08:55:48
Source security-advisories@github.com
Teams watchlist Login
Open Login

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. There are no known workarounds for this issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Nextcloud ≫ Global Site Selector Version >= 1.1.0 < 1.4.1

Nextcloud ≫ Global Site Selector Version >= 2.0.0 < 2.1.2

Nextcloud ≫ Global Site Selector Version >= 2.2.0 < 2.3.4

Nextcloud ≫ Global Site Selector Version >= 2.4.0 < 2.4.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.15%	0.778

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/nextcloud/globalsiteselector/commit/ab5da57190d5bbc79079ce4109b6bcccccd893ee

Patch

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vj5q-f63m-wp77

Patch

Vendor Advisory

https://hackerone.com/reports/2248689

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-22212

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-22212

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-22212

EUVD