Name of the Vulnerable Software and Affected Versions:
Nextcloud Server versions prior to 29.0.15, 30.0.9, and 31.0.3
Nextcloud Enterprise Server versions prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3
Description:
The issue concerns a bug in session handling. When the server is configured with
remember login cookie lifetime
set to
0
, the second factor confirmation is skipped after a successful login with the username and password, once the session expires on the page to select the second factor and the page is reloaded.
Recommendations:
For Nextcloud Server versions prior to 29.0.15, 30.0.9, and 31.0.3, update to version 29.0.15, 30.0.9, or 31.0.3.
For Nextcloud Enterprise Server versions prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3, update to version 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, or 31.0.3.
As a temporary workaround, set the
remember login cookie lifetime
in config.php to a value other than
0
, e.g.
900
.
System administration can delete affected sessions.