Vulnerability Description
user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | User Oidc | < 5.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-9Vendor Advisory
- https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1aPatch
- https://hackerone.com/reports/2376929ExploitThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-9Vendor Advisory
- https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1aPatch
- https://hackerone.com/reports/2376929ExploitThird Party Advisory
FAQ
What is CVE-2024-37312?
CVE-2024-37312 is a vulnerability with a CVSS score of 6.3 (MEDIUM). user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is availabl...
How severe is CVE-2024-37312?
CVE-2024-37312 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-37312?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud User Oidc.