CVE-2022-39339

Name of the Vulnerable Software and Affected Versions user oidc versions prior to 1.2.1

Description The issue concerns the user oidc OpenID Connect user backend for Nextcloud, where sensitive information such as OIDC client credentials and tokens are sent in plain text over HTTP without TLS in versions prior to 1.2.1. This allows any malicious actor with access to monitor user traffic to potentially compromise account security.

Recommendations For versions prior to 1.2.1, upgrade to user oidc v1.2.1 to address the issue. As a temporary workaround for users unable to upgrade, use HTTPS to access Nextcloud and set an HTTPS discovery URL in the provider settings within the Nextcloud OIDC admin settings.