Issuer not verified from obtained token in user_oidc

Vulnerability

The user_oidc app for Nextcloud, versions 1.0.0 through 1.3.2, fails to verify the iss (issuer) claim from the obtained token [1][2]. This missing verification allows an attacker to present a token from a different issuer as if it were from the trusted OIDC provider. The code path is reachable under default configuration when OIDC authentication is enabled [1].

Exploitation

An attacker with man-in-the-middle network position can intercept the token exchange and present a corrupted or known token that they also have access to. The attacker does not need authentication or user interaction beyond the normal login process [2]. The attack complexity is low as no special privileges are required [2].

Impact

Successful exploitation allows the attacker to impersonate any user whose token they possess or have crafted, leading to unauthorized access with potentially full privileges within the Nextcloud instance. This compromises confidentiality, integrity, and availability of the affected system [2].

Mitigation

Upgrade to user_oidc version 1.3.3, released on 2023-08-10, which adds issuer and audience validation [1][2]. No workarounds are available; the fix is included in the updated version [2].