CVE-2023-45151
OAuth2 client_secret stored in plain text in the Nextcloud database
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability.
El servidor Nextcloud es una plataforma de nube doméstica de código abierto. Las versiones afectadas de Nextcloud almacenaron tokens OAuth2 en texto plano, lo que permite a un atacante que haya obtenido acceso al servidor elevar potencialmente sus privilegios. Este problema se solucionó y se recomienda a los usuarios actualizar su servidor Nextcloud a la versión 25.0.8, 26.0.3 o 27.0.1. No se conocen workarounds para esta vulnerabilidad.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-10-04 CVE Reserved
- 2023-10-16 CVE Published
- 2024-09-16 CVE Updated
- 2024-10-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-312: Cleartext Storage of Sensitive Information
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/server/pull/38398 | 2023-10-20 |
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9 | 2023-10-20 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 25.0.0 < 25.0.8 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 25.0.0 < 25.0.8" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 25.0.0 < 25.0.8 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 25.0.0 < 25.0.8" | enterprise |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 26.0.0 < 26.0.3 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 26.0.0 < 26.0.3" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 26.0.0 < 26.0.3 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 26.0.0 < 26.0.3" | enterprise |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | 27.0.0 Search vendor "Nextcloud" for product "Nextcloud Server" and version "27.0.0" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | 27.0.0 Search vendor "Nextcloud" for product "Nextcloud Server" and version "27.0.0" | enterprise |
Affected
|