user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available.
References
Link | Resource |
---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-52hv-xw32-wf7f | Vendor Advisory |
https://github.com/nextcloud/user_oidc/pull/580 | Patch Vendor Advisory |
https://hackerone.com/reports/1878381 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-04-04T12:38:31.201Z
Updated: 2023-04-04T12:38:31.201Z
Reserved: 2023-03-24T16:25:34.467Z
Link: CVE-2023-28848
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-04-04T13:15:08.797
Modified: 2023-04-10T17:37:52.570
Link: CVE-2023-28848
JSON object: View
Redhat Information
No data.
CWE