User password is available in memory of the PHP process

Impact

Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the cleartext password of the user.

Patches

It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2
It is recommended that the Nextcloud Enterprise Server is upgraded to 28.0.12, 29.0.9 or 30.0.2

Workarounds

No workaround available

References

Reported by: Bundesamt für Sicherheit in der Informationstechnik (BSI), mgm-sp
PullRequest

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at portal.nextcloud.com

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

User password is available in memory of the PHP process

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses

Credits