Bug 1211788 (CVE-2023-32318)

Summary: VUL-0: CVE-2023-32318: nextcloud: session mishandling
Product: [openSUSE] openSUSE Distribution Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: OtherAssignee: Eric Schirra <ecsos>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2023-05-29 06:37:31 UTC 
A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38
Comment 1 Eric Schirra 2023-05-29 07:10:05 UTC 
Tumbleweed, Factory and devel have 25.0.7.
Leap still has the master branch 23 and version 23.0.12. No idea if this is also affected.
Major updates are not allowed and an update from 23 to 25 does not work. No idea what I should do.
Comment 2 Eric Schirra 2024-04-16 08:13:42 UTC 
Whats going on?
Can i close?