CVE-2024-52519

Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.7 LOW
PHYSICAL
HIGH
HIGH
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
GitHub_MCNA
2.7 LOW
PHYSICAL
HIGH
HIGH
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
VendorProductVersion
nextcloudnextcloud_server
27.0.0 ≤
𝑥
< 27.1.11.8
nextcloudnextcloud_server
28.0.0 ≤
𝑥
< 28.0.10
nextcloudnextcloud_server
28.0.0 ≤
𝑥
< 28.0.10
nextcloudnextcloud_server
29.0.0 ≤
𝑥
< 29.0.7
nextcloudnextcloud_server
29.0.0 ≤
𝑥
< 29.0.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fvpc-8hq6-jgq2
https://github.com/nextcloud/server/commit/09b8aea8f6783514bffe00df6abbf9fa542faac5
https://github.com/nextcloud/server/pull/47635