Auth bypass in Nextcloud Nextcloud_server
CVE-2024-37313
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded…
Vulnerability class: Broken Authentication
EPSS: 0.004 (32.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.
Affected products
- Nextcloud Nextcloud_server
- Nextcloud Security-advisories — versions >= 26.0.0, < 26.0.13, >= 27.0.0, < 27.1.8, >= 28.0.0, < 28.0.4
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
- security-advisories@github.com (Patch, x_refsource_MISC, Issue Tracking)
- security-advisories@github.com (x_refsource_MISC, Issue Tracking)
Frequently asked questions
- What is CVE-2024-37313?
- CVE-2024-37313 is a high-severity vulnerability in Nextcloud Nextcloud_server, classified under Improper Authentication. CVSS score: 7.3/10. Published 2024-06-14.
- How severe is CVE-2024-37313?
- High severity. CVSS v3 base score is 7.3 out of 10.