Bug 1214175 (CVE-2023-39958) - VUL-0: CVE-2023-39958: nextcloud: missing bruteforce protection for client secrets of configured OAuth2 clients
Summary: VUL-0: CVE-2023-39958: nextcloud: missing bruteforce protection for client se...
Status: NEW
Alias: CVE-2023-39958
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.4
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Eric Schirra
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/374995/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-11 08:41 UTC by Carlos López
Modified: 2024-04-16 08:11 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-08-11 08:41:25 UTC 
CVE-2023-39958

Nextcloud Server provides data storage for Nextcloud, an open source cloud
platform. Starting in version 22.0.0 and prior to versions 22.2.10.13,
23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an
attacker to brute force the client secrets of configured OAuth2 clients.
Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise
Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1
contain a patch for this issue. No known workarounds are available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39958
https://www.cve.org/CVERecord?id=CVE-2023-39958
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h
https://github.com/nextcloud/server/pull/38773
https://hackerone.com/reports/1258448
Comment 1 Eric Schirra 2024-04-16 08:11:48 UTC 
All versions < 27 are end of life.
Version 28.0.4 os in devel and factory.
I have no rights for SLE.
osc mbranch only show sle.
So no more i can do.