http://bugzilla.opensuse.org/show_bug.cgi?id=1207978 Bug ID: 1207978 Summary: VUL-0: CVE-2023-23944: nextcloud: user's passwordsstored in cleartext in the database during the duration of OAuth2 setup procedure Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/356232/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos@schirra.net Reporter: thomas.leroy@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2023-23944 Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23944 https://github.com/nextcloud/mail/pull/7797 https://www.cve.org/CVERecord?id=CVE-2023-23944 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8... https://hackerone.com/reports/1806275 -- You are receiving this mail because: You are on the CC list for the bug.