1216300 – (CVE-2023-45151) VUL-0: CVE-2023-45151: nextcloud: OAuth2 client_secret stored in plain text in the database

Bug 1216300 (CVE-2023-45151) - VUL-0: CVE-2023-45151: nextcloud: OAuth2 client_secret stored in plain text in the database

Summary: VUL-0: CVE-2023-45151: nextcloud: OAuth2 client_secret stored in plain text i...

Status:	NEW

Alias:	CVE-2023-45151

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Eric Schirra
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/382016/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-10-17 06:47 UTC by SMASH SMASH
Modified:	2024-04-16 08:00 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-10-17 06:47:58 UTC

Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability.

References:
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45151

Comment 1 Eric Schirra 2023-10-18 05:12:00 UTC

In devel, factory and Tumbleweed there is 27.1.2
Last version in branch 24 is 24.0.12.
But 24 is End of Life since 2023-04.
And i have no rights for SLE.

Comment 2 Eric Schirra 2024-04-16 08:00:22 UTC

What's going on?
Can i close?