Vulnerabilities > CVE-2023-39953 - Incorrect Implementation of Authentication Algorithm vulnerability in Nextcloud User Oidc

CVSS 4.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

high complexity

nextcloud

CWE-303

NVD

Published: 2023-08-10

Updated: 2023-08-16

Summary

user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also have access to. user_oidc 1.3.3 contains a patch. No known workarounds are available.

Vulnerable Configurations

Part	Description	Count
Application	Nextcloud Nextcloud User Oidc 1.0.0 Nextcloud User Oidc 1.1.0 Nextcloud User Oidc 1.2.0 Nextcloud User Oidc 1.2.1 Nextcloud User Oidc 1.3.0 Nextcloud User Oidc 1.3.1 Nextcloud User Oidc 1.3.2	7

Common Weakness Enumeration (CWE)

CWE-303 - Incorrect Implementation of Authentication Algorithm

Common Attack Pattern Enumeration and Classification (CAPEC)

Reflection Attack in Authentication Protocol
An attacker can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the attacker illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An attacker can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

References