Bug 1214179 (CVE-2023-39963)

Summary: VUL-0: CVE-2023-39963: nextcloud: missing password check allows attackers to add app passwords on compromised accounts
Product: [openSUSE] openSUSE Distribution Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Eric Schirra <ecsos>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/374999/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-08-11 08:51:43 UTC 
CVE-2023-39963

Nextcloud Server provides data storage for Nextcloud, an open source cloud
platform. Starting in version 20.0.0 and prior to versions 20.0.14.15,
21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a
missing password confirmation allowed an attacker, after successfully stealing a
session from a logged in user, to create app passwords for the victim. Nextcloud
server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server
versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9,
26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are
available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39963
https://www.cve.org/CVERecord?id=CVE-2023-39963
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5
https://github.com/nextcloud/server/pull/39416
https://hackerone.com/reports/2067572
Comment 1 Eric Schirra 2024-04-16 08:10:29 UTC 
All versions < 27 are end of life.
Version 28.0.4 os in devel and factory.
I have no rights for SLE.
osc mbranch only show sle.
So no more i can do.