{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-061.pdf"
    },
    "title": "Vulnerabilities in Nextcloud Products",
    "serial_number": "2024-061",
    "publish_date": "18-06-2024 16:47:33",
    "description": "On June 14, 2024, Nextcloud released patches for Nextcloud Server and Enterprise Server. A vulnerability was disclosed in Nextcloud server products that allows the bypassing of the second factor of two-factor authentication (2FA).<br>\n",
    "url_title": "2024-061",
    "content_markdown": "---\ntitle: 'Vulnerabilities in Nextcloud Products'\nnumber: '2024-061'\nversion: '1.0'\noriginal_date: 'June 14, 2024'\ndate: 'June 18, 2024'\n---\n\n_History:_\n\n* _18/06/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn June 14, 2024, Nextcloud released patches for Nextcloud Server and Enterprise Server. A vulnerability was disclosed in Nextcloud server products that allows the bypassing of the second factor of two-factor authentication (2FA) [1,2].\n\n# Technical Details\n\nThe vulnerability **CVE-2024-37313**, with a CVSS score of 7.3, is a 2FA bypass issue. Under certain circumstances, an attacker could exploit this vulnerability to bypass the second factor of 2FA after successfully providing the user credentials [1]. \n\n# Affected Products\n\nPatched versions of the products are listed below [1,3].\n\n- Nextcloud Server: Versions 26.0.13, 27.1.8 and 28.0.4.\n- Nextcloud Enterprise Server: Versions 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 and 28.0.4.\n\n# Recommendations\n\nCERT-EU strongly recommends updating affected software to the latest versions by following the instructions given by the vendor [1].\n\n# References\n\n[1] <https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c>\n\n[2] <https://hackerone.com/reports/2419776>\n\n[3] <https://github.com/nextcloud/server/pull/44276>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>18/06/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On June 14, 2024, Nextcloud released patches for Nextcloud Server and Enterprise Server. A vulnerability was disclosed in Nextcloud server products that allows the bypassing of the second factor of two-factor authentication (2FA) [1,2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2024-37313</strong>, with a CVSS score of 7.3, is a 2FA bypass issue. Under certain circumstances, an attacker could exploit this vulnerability to bypass the second factor of 2FA after successfully providing the user credentials [1]. </p><h2 id=\"affected-products\">Affected Products</h2><p>Patched versions of the products are listed below [1,3].</p><ul><li>Nextcloud Server: Versions 26.0.13, 27.1.8 and 28.0.4.</li><li>Nextcloud Enterprise Server: Versions 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 and 28.0.4.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends updating affected software to the latest versions by following the instructions given by the vendor [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c\">https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://hackerone.com/reports/2419776\">https://hackerone.com/reports/2419776</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/nextcloud/server/pull/44276\">https://github.com/nextcloud/server/pull/44276</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}