CVE Catalog

CVE-2023-39954

LowCVSS 3.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

The user_oidc module, which provides the OIDC connect backend for Nextcloud, has a vulnerability that allows an attacker to impersonate the Nextcloud server if they gain at least read access to a snapshot of the database. The issue exists in versions from 1.0.0 to 1.3.2, and version 1.3.3 contains a patch.

Risk Assessment

Attackers may exploit this vulnerability to gain unauthorized access to linked servers, potentially leading to data leakage or system integrity breaches.

Recommendation

It is recommended to upgrade to version 1.3.3 or later to mitigate this vulnerability. No known workarounds are available.

Original NVD description (English source)

user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. user_oidc 1.3.3 contains a patch. No known workarounds are available.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS