CVE-2023-28848

Опубликовано: 04 апр. 2023

Источник: nvd

CVSS3: 4.8

CVSS3: 5.4

EPSS Низкий

Описание

user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available.

Ссылки

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-52hv-xw32-wf7f
Vendor Advisory
https://github.com/nextcloud/user_oidc/pull/580
Patch
Vendor Advisory
https://hackerone.com/reports/1878381
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-52hv-xw32-wf7f
Vendor Advisory
https://github.com/nextcloud/user_oidc/pull/580
Patch
Vendor Advisory
https://hackerone.com/reports/1878381
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nextcloud:user_oidc:*:*:*:*:*:*:*:*

Версия от 1.0.0 (включая) до 1.3.0 (исключая)

EPSS

Процентиль: 45%

0.00223

Низкий

4.8 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-352

EPSS

Процентиль: 45%

0.00223

Низкий

4.8 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-352