CVE-2023-45151
Summary
| CVE | CVE-2023-45151 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-16 19:15:00 UTC |
| Updated | 2023-10-20 12:18:00 UTC |
| Description | Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability. |
Risk And Classification
Problem Types: CWE-312
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Nextcloud | Nextcloud Server | All | All | All | All |
| Application | Nextcloud | Nextcloud Server | All | All | All | All |
| Application | Nextcloud | Nextcloud Server | 27.0.0 | All | All | All |
| Application | Nextcloud | Nextcloud Server | 27.0.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Store encrypted OAuth2 client secrets by julien-nc · Pull Request #38398 · nextcloud/server · GitHub | MISC | github.com | |
| HackerOne | MISC | hackerone.com | |
| OAuth2 client_secret stored in plain text in the database · Advisory · nextcloud/security-advisories · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.