CVE-2023-39958

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
GitHub_MCNA
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
nextcloudnextcloud_server
22.0.0 ≤
𝑥
< 22.2.10.14
nextcloudnextcloud_server
23.0.0 ≤
𝑥
< 23.0.12.9
nextcloudnextcloud_server
24.0.0 ≤
𝑥
< 24.0.12.5
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.9
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.9
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.4
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.4
nextcloudnextcloud_server
27.0.0
nextcloudnextcloud_server
27.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h
https://github.com/nextcloud/server/pull/38773
https://hackerone.com/reports/1258448
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h
https://github.com/nextcloud/server/pull/38773
https://hackerone.com/reports/1258448