Upstream information

CVE-2023-28848 at MITRE

Description

user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  National Vulnerability Database SUSE
Base Score 4.8 4.8
Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required High High
User Interaction Required Required
Scope Changed Changed
Confidentiality Impact Low Low
Integrity Impact Low Low
Availability Impact None None
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1210097 [RESOLVED / INVALID]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Tue Apr 4 16:00:16 2023
CVE page last modified: Wed Apr 26 12:01:53 2023