CVE-2024-37312 MEDIUM

CVE-2024-37312: Nextcloud user_oidc app's ID4me feature is available even when disabled

Vendor Nextcloud

Product security-advisories

Weakness CWE-284

Published June 14, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

Key dates

02Disclosure timeline

June 14, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-37312

Related vulnerabilities

CVE-2024-37312: Nextcloud user_oidc app's ID4me feature is available even when disabled

01Description

02Disclosure timeline

03References

04Related CVE