Skip to content

user_ldap app logs user passwords in the log file on level debug

Moderate
nickvergessen published GHSA-35p6-4992-w5fr Nov 21, 2023

Package

Server (Nextcloud)

Affected versions

>= 25.0.0, >= 26.0.0, >= 27.0.0

Patched versions

25.0.11, 26.0.6, 27.1.0
Server (Nextcloud Enterprise)
>= 25.0.0, >= 26.0.0, >= 27.0.0
25.0.11, 26.0.6, 27.1.0

Description

Impact

When the log level was set to debug the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.11, 26.0.6 or 27.1.0
It is recommended that the Nextcloud Enterprise Server is upgraded to 25.0.11, 26.0.6 or 27.1.0

Workarounds

  • Change config setting loglevel to 1 or higher (should always be higher than 1 in production environments).

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
4.2
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVE ID

CVE-2023-48305

Weaknesses