ID4me does not validate signature or expiration

Moderate

nickvergessen published GHSA-vw5h-29xf-g55g

Jun 14, 2024

Package

user_oidc (Nextcloud)

Affected versions

< 1.3.5

Patched versions

1.3.5, 2.0.0, 3.0.0, 4.0.0, 5.0.0

Description

Impact

An attacker could potentially trick the app into accepting a request that is not signed by the correct server

Patches

It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at portal.nextcloud.com

Severity

Moderate

5.4

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N