Authentication header is passed on by Nextcloud Server due to a vulnerable GuzzleHTTP version
Package
Server
(Nextcloud)
Affected versions
< 23.0.7, < 24.0.3
Patched versions
23.0.7, 24.0.3
Server
(Nextcloud Enterprise)
< 22.2.11, < 23.0.7, < 24.0.3
22.2.11, 23.0.7, 24.0.3
Impact
Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade, this depency is out of date and it can leat to still authorization header.
Patches
It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3.
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3.
Workarounds
No workaround available
References
For more information
If you have any questions or comments about this advisory: