CVE-2024-22212 CRITICAL

CVE-2024-22212: Nextcloud global site selector authentication bypass

Vendor Nextcloud
Product security-advisories
Weakness CWE-306 · Missing auth
Published January 18, 2024
Last update September 11, 2024

CVSS base score

9.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

January 18, 2024 CVE published
September 11, 2024 Record updated