Bypass of 2 Factor Authentication (NC-SA-2018-007)
3rd August 2018
Risk level: High
CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
HackerOne report: 248656
Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely.
- Nextcloud Server < 12.0.3 (2018-3775)
The error has been fixed and regression tests are in place.
It is recommended that all instances are upgraded at least to Nextcloud 12.0.3.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
- kaysbugs - Vulnerability discovery and disclosure.
This advisory is licensed CC BY-SA 4.0.