CVE-2022-39338 - Stored Cross-site Scripting Vulnerability in user_oidc OpenID Connect for Nextcloud Prior to 1.2.1, Impacting Safari Web Browser Users

Nextcloud, an incredibly popular platform for self-hosted cloud storage and collaboration, employs user_oidc, an OpenID Connect user backend that streamlines user authentication using various identity providers. Unfortunately, researchers discovered a vulnerability in the user_oidc module that has been assigned the identifier CVE-2022-39338. This post aims to provide an overview of the vulnerability, affected versions, and steps you can take to protect your Nextcloud instance.

Description

The vulnerability CVE-2022-39338 is a stored Cross-site Scripting (XSS) attack that specifically impacts versions of user_oidc prior to 1.2.1. The vulnerability is due to the module's failure to properly validate discovery URLs. As a result, an attacker could inject malicious code, which could be executed in the context of the victim's browser. Notably, the vulnerability has only been demonstrated to be exploitable in the Safari web browser.

Impact and Severity

Although the risk is somewhat mitigated by the restrictive Content Security Policy (CSP) applied on the affected endpoint, this vulnerability remains a cause for concern. Exploiting this vulnerability could allow an attacker to compromise a victim's Nextcloud account or access their data.

It's essential to note that the impact of this vulnerability is limited to users utilizing the Safari web browser. Users of other browsers are not at risk.

Affected Versions

The CVE-2022-39338 vulnerability affects user_oidc versions prior to 1.2.1.

Solution

To address this issue, Nextcloud has released user_oidc version 1.2.1, which includes a patch for the vulnerability. Users are strongly advised to upgrade their installations to version 1.2.1 as soon as possible.

For users who cannot upgrade to version 1.2.1 for any reason, a temporary workaround is to avoid using the Safari web browser to access Nextcloud instances running vulnerable versions of user_oidc. Users should be instructed to use alternative browsers until the issue can be resolved.

For more information about CVE-2022-39338, please refer to the following official resources

1. Nextcloud Security Advisory: https://nextcloud.com/security/advisory/?id=NC-SA-2022-006
2. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-39338

In conclusion, although the CVE-2022-39338 vulnerability's impact is limited to Safari users, it's crucial to address the issue promptly. Upgrading to user_oidc version 1.2.1 is the recommended solution, but for those unable to upgrade, avoiding the Safari browser can provide temporary protection. Stay safe and secure by keeping your software up-to-date and following best practices for web security.

Timeline

Published on: 11/25/2022 19:15:00 UTC
Last modified on: 12/01/2022 20:43:00 UTC