8.2

CVE-2024-52519

EPSS 1.34%
Veröffentlicht 15.11.2024 17:15:21
Zuletzt bearbeitet 23.01.2025 15:05:17
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server's OAuth2 client secrets were stored in a recoverable way

OAuth2 client secrets were stored in a recoverable way

Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 5 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 27.0.0 < 27.1.11.8

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 28.0.0 < 28.0.10

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 28.0.0 < 28.0.10

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 29.0.0 < 29.0.7

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 29.0.0 < 29.0.7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 28.0.0, < 28.0.10

Version >= 29.0.0, < 29.0.7

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 27.0.0, < 27.1.11.8

Version >= 28.0.0, < 28.0.10

Version >= 29.0.0, < 29.0.7

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.34%	0.8

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
security-advisories@github.com	2.7	0.1	2.5	CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

CWE-922 Insecure Storage of Sensitive Information

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fvpc-8hq6-jgq2

Vendor Advisory

https://github.com/nextcloud/server/commit/09b8aea8f6783514bffe00df6abbf9fa542faac5

Patch

https://github.com/nextcloud/server/pull/47635

Issue Tracking

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fvpc-8hq6-jgq2

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-52519

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52519

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52519

EUVD