CVE-2024-37312

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-37312
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37312.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-37312
Aliases
  • GHSA-vw7g-959g-vj6q
Published
2024-06-14T15:15:51Z
Modified
2024-06-17T22:46:20.315567Z
Summary
[none]
Details

user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

References

Affected packages

Git / github.com/nextcloud/user_oidc

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/user_oidc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.2.1
v0.3.0
v0.3.1
v0.3.2

v1.*

v1.0.0
v1.1.0
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6