Bugzilla – Bug 1226372
VUL-0: CVE-2024-37313: nextcloud: ability to bypass the second factor of 2FA after successfully providing the user credentials
Last modified: 2024-06-15 09:30:51 UTC
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37313 https://www.cve.org/CVERecord?id=CVE-2024-37313 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c https://github.com/nextcloud/server/pull/44276 https://hackerone.com/reports/2419776
This once again shows a problem with the stubborn adherence to the default of no major or minor update of packages. The major version 24 is EndOfLife since 2023-04. https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule Leap 15.6 just came out a few days ago. With a package that has been dead for a year. You can't update from 24 to 29 either. Even if you are allowed to according to suse specifications. Because in nextcloud you only have to/may only update one level at a time. 24 -> 25 -> 26 -> 27 -> 28 -> 29. 24.0.12.13 is not open source and can not download. So what should you do in this case?