Incorrect Implementation of Authentication Algorithm

CVE-2023-39953

Medium

4.8/10

Summary

user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also have access to. user_oidc 1.3.3 contains a patch. No known workarounds are available.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-303 - Incorrect Implementation of Authentication Algorithm

The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

References

Advisory Timeline

Published Aug 10, 2023

Incorrect Implementation of Authentication Algorithm

CVE-2023-39953

Summary

CWE-303 - Incorrect Implementation of Authentication Algorithm

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS