Bug ID 1207978
Summary VUL-0: CVE-2023-23944: nextcloud: user's passwordsstored in cleartext in the database during the duration of OAuth2 setup procedure
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
URL https://smash.suse.de/issue/356232/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee ecsos@schirra.net
Reporter thomas.leroy@suse.com
QA Contact security-team@suse.de
Found By Security Response Team
Blocker ---

CVE-2023-23944

Nextcloud mail is an email app for the nextcloud home server platform. In
versions prior to 2.2.2 user's passwords were stored in cleartext in the
database during the duration of OAuth2 setup procedure. Any attacker or
malicious user with access to the database would have access to these user
passwords until the OAuth setup has been completed. It is recommended that the
Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for
this
issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23944
https://github.com/nextcloud/mail/pull/7797
https://www.cve.org/CVERecord?id=CVE-2023-23944
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g86r-x755-93f4
https://hackerone.com/reports/1806275


You are receiving this mail because: