CVE-2022-39339 MEDIUM

CVE-2022-39339: Cleartext Transmission of Sensitive Information in user_oidc

Vendor Nextcloud
Product security-advisories
Weakness CWE-319 · Cleartext transmission
Published November 25, 2022
Last update April 23, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).

Key dates

02Disclosure timeline

November 25, 2022 CVE published
April 23, 2025 Record updated