CVE-2024-52525 LOW

CVE-2024-52525: Nextcloud Server User password is available in memory of the PHP process

Vendor Nextcloud
Product security-advisories
Weakness CWE-312 · Cleartext storage
Published November 15, 2024
Last update November 15, 2024

CVSS base score

1.8/10
Attack vector Physical
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the cleartext password of the user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

Key dates

02Disclosure timeline

November 15, 2024 CVE published
November 15, 2024 Record updated