3.7
CVE-2024-22403
- EPSS 0.28%
- Veröffentlicht 18.01.2024 20:15:08
- Zuletzt bearbeitet 21.11.2024 08:56:12
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
OAuth2 authorization codes are valid indefinetly in Nextcloud server
OAuth2 authorization codes are valid indefinetly
Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability.
Mögliche Gegenmaßnahme
Server: * No workaround available
Enterprise Server: * No workaround available
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nextcloud ≫ Nextcloud Server Version < 28.0.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemNextcloud
≫
Produkt
Server
Version
>= 26.0.0, < 26.0.11
Version
>= 27.0.0, < 27.1.6
Version
>= 28.0.0, < 28.0.0
SystemNextcloud
≫
Produkt
Enterprise Server
Version
>= 26.0.0, < 26.0.11
Version
>= 27.0.0, < 27.1.6
Version
>= 28.0.0, < 28.0.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.507 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 3.7 | 2.2 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 3 | 1.3 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
|
CWE-613 Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."