CVE-2024-52519: Nextcloud Server's OAuth2 client secrets were stored in a recoverable way
First published: Fri Nov 15 2024(Updated: )
Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Server | <28.0.10<29.0.7 | |
| Nextcloud Enterprise Server | >=27.1.11.8<=27.1.11.8<28.0.10<29.0.7 | |
| Nextcloud Server | >=27.0.0<27.1.11.8 | |
| Nextcloud Server | >=28.0.0<28.0.10 | |
| Nextcloud Server | >=28.0.0<28.0.10 | |
| Nextcloud Server | >=29.0.0<29.0.7 | |
| Nextcloud Server | >=29.0.0<29.0.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-52519?
CVE-2024-52519 has been classified as a moderate severity vulnerability due to the potential exposure of OAuth2 client secrets.
How do I fix CVE-2024-52519?
To fix CVE-2024-52519, upgrade your Nextcloud Server to version 29.0.8 or later, or to a secure version of the Enterprise Server as recommended in the advisory.
What are the affected software versions for CVE-2024-52519?
CVE-2024-52519 affects Nextcloud Server versions prior to 29.0.8, 28.0.10, and certain releases of the Nextcloud Enterprise Server up to 28.0.10.
What data is at risk with CVE-2024-52519?
CVE-2024-52519 puts OAuth2 client secrets at risk of being accessed if an attacker gains access to a backup of the database and configuration files.
What action should I take if I am using an affected version of Nextcloud for CVE-2024-52519?
If you are using an affected version of Nextcloud, immediately upgrade your software to the latest secure release to mitigate the risks associated with CVE-2024-52519.
- agent/weakness
- agent/references
- agent/title
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/severity
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- vendor/nextcloud
- canonical/nextcloud server
- canonical/nextcloud enterprise server
- version/nextcloud server/27.0.0
- version/nextcloud server/28.0.0
- version/nextcloud server/29.0.0