Executive Summary

This vulnerability exists in the Nextcloud User OIDC app, where an improper check in the LdapService allowed users who were deleted from LDAP to still authenticate through the User OIDC system.

Specifically, a bug in the method `LdapService::isLdapDeletedUser` caused the system to incorrectly allow deleted LDAP users to authenticate, due to a wrong condition check.

This issue affected versions starting from 1.3.6 up to before version 8.4.0 and was patched in version 8.4.0.

Useful 0 Not Useful 0

Impact Analysis

An attacker with low privileges could exploit this vulnerability to authenticate as a user who has been deleted from LDAP, potentially gaining unauthorized access.

The impact on confidentiality, integrity, and availability is limited but still present, as unauthorized users might access resources they should no longer have access to.

The vulnerability requires user interaction and has a moderate severity with a CVSS score of 4.6.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade the User OIDC app to version 8.4.0 or later, where the issue has been patched.

As a workaround, disabling the user_oidc app can also prevent exploitation of this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows deleted LDAP users to still authenticate via the User OIDC app due to improper access control. Such unauthorized access could potentially lead to unauthorized data exposure or access to sensitive information.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, improper access control and unauthorized authentication can pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that require strict access controls and protection of personal or sensitive data.

Useful 0 Not Useful 0