Bug ID 1214175
Summary VUL-0: CVE-2023-39958: nextcloud: missing bruteforce protection for client secrets of configured OAuth2 clients
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
URL https://smash.suse.de/issue/374995/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee ecsos@schirra.net
Reporter carlos.lopez@suse.com
QA Contact security-team@suse.de
Target Milestone ---
Found By ---
Blocker --- 

CVE-2023-39958

Nextcloud Server provides data storage for Nextcloud, an open source cloud
platform. Starting in version 22.0.0 and prior to versions 22.2.10.13,
23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an
attacker to brute force the client secrets of configured OAuth2 clients.
Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise
Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1
contain a patch for this issue. No known workarounds are available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39958
https://www.cve.org/CVERecord?id=CVE-2023-39958
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h
https://github.com/nextcloud/server/pull/38773
https://hackerone.com/reports/1258448

You are receiving this mail because: