CVE-2024-22212

Nextcloud global site selector authentication bypass

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. There are no known workarounds for this issue.

Nextcloud Global Site Selector es una herramienta que le permite ejecutar múltiples instancias pequeñas de Nextcloud y redirigir a los usuarios al servidor correcto. Un problema en el método de verificación de contraseña permite que un atacante se autentique como otro usuario. Se recomienda actualizar Nextcloud Global Site Selector a la versión 1.4.1, 2.1.2, 2.3.4 o 2.4.5. No se conocen workarounds para este problema.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-01-08 CVE Reserved
2024-01-18 CVE Published
2024-01-27 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-306: Missing Authentication for Critical Function

CAPEC

References (3)

URL	Tag	Source
https://hackerone.com/reports/2248689	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/nextcloud/globalsiteselector/commit/ab5da57190d5bbc79079ce4109b6bcccccd893ee	2024-01-26
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vj5q-f63m-wp77	2024-01-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nextcloud Search vendor "Nextcloud"		Global Site Selector Search vendor "Nextcloud" for product "Global Site Selector"				>= 1.1.0 < 1.4.1 Search vendor "Nextcloud" for product "Global Site Selector" and version " >= 1.1.0 < 1.4.1"		-		Affected
Nextcloud Search vendor "Nextcloud"		Global Site Selector Search vendor "Nextcloud" for product "Global Site Selector"				>= 2.0.0 < 2.1.2 Search vendor "Nextcloud" for product "Global Site Selector" and version " >= 2.0.0 < 2.1.2"		-		Affected
Nextcloud Search vendor "Nextcloud"		Global Site Selector Search vendor "Nextcloud" for product "Global Site Selector"				>= 2.2.0 < 2.3.4 Search vendor "Nextcloud" for product "Global Site Selector" and version " >= 2.2.0 < 2.3.4"		-		Affected
Nextcloud Search vendor "Nextcloud"		Global Site Selector Search vendor "Nextcloud" for product "Global Site Selector"				>= 2.4.0 < 2.4.5 Search vendor "Nextcloud" for product "Global Site Selector" and version " >= 2.4.0 < 2.4.5"		-		Affected