Nextcloud MD5 Hash Collision in Jobs, Fixed in 28.0.10/29.0.7/30.0.0
CVE-2024-52521 Published on November 15, 2024

Nextcloud Server has a potential hash collision for background jobs could skip queuing them
Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommended that the Nextcloud Server is upgraded to 28.0.10, 29.0.7 or 30.0.0.

NVD

Vulnerability Analysis

CVE-2024-52521 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Reversible One-Way Hash

The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques. This weakness is especially dangerous when the hash is used in security algorithms that require the one-way property to hold. For example, if an authentication system takes an incoming password and generates a hash, then compares the hash to another hash that it has stored in its authentication database, then the ability to create a collision could allow an attacker to provide an alternate password that produces the same target hash, bypassing authentication.


Products Associated with CVE-2024-52521

stack.watch emails you whenever new vulnerabilities are published in Nextcloud Server or Nextcloud. Just hit a watch button to start following.

Nextcloud Server
 
Nextcloud
 

Affected Versions

nextcloud security-advisories:

Exploit Probability

EPSS
0.99%
Percentile
76.56%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.