Main Vulnerability Database Vulnerabilities #VU74349

Improper Authentication in Nextcloud Android App - CVE-2023-28646

Published: April 4, 2023

Vulnerability identifier: #VU74349

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-28646

CWE-ID: CWE-287

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Nextcloud Android App

Software vendor:
Nextcloud

Description

The vulnerability allows a local attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests in the App pin. An authenticated attacker with physical access to an unlocked device can bypass the Nextcloud Android Pin protection via a thirdparty app.

Remediation

Install updates from vendor's website.

External links

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3rf-94h6-vj8v
https://github.com/nextcloud/android/pull/11242

Improper Authentication in Nextcloud Android App - CVE-2023-28646

Description

Remediation

External links

Please verify you're human