CVE-2023-39954
LowCVSS 3.8Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
The user_oidc module, which provides the OIDC connect backend for Nextcloud, has a vulnerability that allows an attacker to impersonate the Nextcloud server if they gain at least read access to a snapshot of the database. The issue exists in versions from 1.0.0 to 1.3.2, and version 1.3.3 contains a patch.
Risk Assessment
Attackers may exploit this vulnerability to gain unauthorized access to linked servers, potentially leading to data leakage or system integrity breaches.
Recommendation
It is recommended to upgrade to version 1.3.3 or later to mitigate this vulnerability. No known workarounds are available.
Original NVD description (English source)
user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. user_oidc 1.3.3 contains a patch. No known workarounds are available.

