Webauthn tokens not removed after user has been deleted
High
LukasReschke
published
GHSA-6qr9-c846-j8mgJul 12, 2021
Package
Nextcloud Server
Affected versions
< 19.0.13, < 20.0.11, < 21.0.3
Patched versions
19.0.13, 20.0.11, 21.0.3
Description
Impact
Webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account.
Patches
It is recommended that the Nextcloud Server is upgraded to 19.0.13, 20.0.11 or 21.0.3
Impact
Webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account.
Patches
It is recommended that the Nextcloud Server is upgraded to 19.0.13, 20.0.11 or 21.0.3
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory: