Bug 1216300 (CVE-2023-45151)

Summary: VUL-0: CVE-2023-45151: nextcloud: OAuth2 client_secret stored in plain text in the database
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Eric Schirra <ecsos>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382016/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-17 06:47:58 UTC 
Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability.

References:
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45151
Comment 1 Eric Schirra 2023-10-18 05:12:00 UTC 
In devel, factory and Tumbleweed there is 27.1.2
Last version in branch 24 is 24.0.12.
But 24 is End of Life since 2023-04.
And i have no rights for SLE.
Comment 2 Eric Schirra 2024-04-16 08:00:22 UTC 
What's going on?
Can i close?