CVE-2024-37313

HIGH

Nextcloud Server < 21.0.9.17 - Authentication Bypass

Title source: rule

Description

Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4.

References (3)

[Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c

[Issue Tracking, Patch] https://github.com/nextcloud/server/pull/44276

[Issue Tracking] https://hackerone.com/reports/2419776

Scores

CVSS v3 7.3

EPSS 0.0018

EPSS Percentile 39.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-287

Status published

Affected Products (2)

nextcloud/nextcloud_server < 21.0.9.17

nextcloud/nextcloud_server < 26.0.13

Timeline

Published Jun 14, 2024

Tracked Since Feb 18, 2026