Vulnerability Description
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | >= 21.0.0, < 21.0.9.17 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9Vendor Advisory
- https://github.com/nextcloud/server/pull/44276Issue TrackingPatch
- https://hackerone.com/reports/2419776Issue Tracking
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9Vendor Advisory
- https://github.com/nextcloud/server/pull/44276Issue TrackingPatch
- https://hackerone.com/reports/2419776Issue Tracking
FAQ
What is CVE-2024-37313?
CVE-2024-37313 is a vulnerability with a CVSS score of 7.3 (HIGH). Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended...
How severe is CVE-2024-37313?
CVE-2024-37313 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-37313?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.