CVE-2024-52519

Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.1 / Impact : 2.5

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fvpc-8hq6-jgq2
https://github.com/nextcloud/server/commit/09b8aea8f6783514bffe00df6abbf9fa542faac5
https://github.com/nextcloud/server/pull/47635

Configurations

No configuration.

History

18 Nov 2024, 17:11

Type	Values Removed	Values Added
Summary		(es) Nextcloud Server es un sistema de nube personal alojado por el usuario. Los secretos del cliente OAuth2 se almacenaron de forma recuperable, de modo que un atacante que tuviera acceso a una copia de seguridad de la base de datos y al archivo de configuración de Nextcloud pudiera descifrarlos. Se recomienda actualizar Nextcloud Server a 28.0.10 o 29.0.7 y Nextcloud Enterprise Server a 27.1.11.8, 28.0.10 o 29.0.7.

15 Nov 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 17:15

Updated : 2024-11-18 17:11

NVD link : CVE-2024-52519

Mitre link : CVE-2024-52519

CVE.ORG link : CVE-2024-52519

JSON object : View

Products Affected

No product.

CWE

CWE-922

Insecure Storage of Sensitive Information

2.7 /10