What is the vulnerability ID for this Nextcloud mail vulnerability?

The vulnerability ID for this Nextcloud mail vulnerability is CVE-2023-23944.

What is the severity level of CVE-2023-23944?

The severity level of CVE-2023-23944 is medium (6.5).

How can an attacker exploit CVE-2023-23944?

An attacker with access to the database can exploit CVE-2023-23944 by retrieving user passwords stored in cleartext.

What is the recommended solution for CVE-2023-23944?

To mitigate the vulnerability, users should update Nextcloud mail to version 2.2.2 or above.

Vulnerability/
CVE-2023-23944

medium

6.5

CWE

312

6/2/2023

2/8/2024

CVE-2023-23944: Nexcloud Mail app temporarily stores cleartext password in database

Q: How does the vulnerability in Nextcloud mail affect user passwords?

In versions prior to 2.2.2, user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure, exposing them to attackers with access to the database.

First published: Mon Feb 06 2023(Updated: )

Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Nextcloud mail	<2.2.2

Remedy

https://github.com/nextcloud/mail/pull/7797

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this Nextcloud mail vulnerability?
The vulnerability ID for this Nextcloud mail vulnerability is CVE-2023-23944.
What is the severity level of CVE-2023-23944?
The severity level of CVE-2023-23944 is medium (6.5).
How does the vulnerability in Nextcloud mail affect user passwords?
In versions prior to 2.2.2, user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure, exposing them to attackers with access to the database.
How can an attacker exploit CVE-2023-23944?
An attacker with access to the database can exploit CVE-2023-23944 by retrieving user passwords stored in cleartext.
What is the recommended solution for CVE-2023-23944?
To mitigate the vulnerability, users should update Nextcloud mail to version 2.2.2 or above.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/last-modified-date
agent/author
agent/remedy
agent/references
agent/severity
agent/title
agent/tags
agent/first-publish-date
agent/event
agent/description
vendor/nextcloud
canonical/nextcloud mail

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.