Nextcloud user_oidc Missing AC on ID4me (Before 3.0.0) ID4me open registration
CVE-2024-37312 Published on June 14, 2024

Nextcloud user_oidc app's ID4me feature is available even when disabled
user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

LOW

Weakness Type

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2024-37312 has been classified to as an Authorization vulnerability or weakness.

Products Associated with CVE-2024-37312

stack.watch emails you whenever new vulnerabilities are published in Nextcloud User Oidc or Nextcloud. Just hit a watch button to start following.

Nextcloud User Oidc

Nextcloud

Affected Versions

nextcloud security-advisories:

Version <= 1.3.6 is affected.

nextcloud user_oidc:

Before and including 1.3.6 is affected.

Exploit Probability

EPSS

0.47%

Percentile

64.02%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.