user_oidc app stores client secret unencrypted in database

Vulnerability

The user_oidc app for Nextcloud, versions 1.0.0 up to but not including 1.3.3, stores OIDC provider and id4me client secrets in plaintext within the database [1][2]. This design flaw exposes the secrets to any attacker who has obtained read access to a database snapshot, such as through a backup leak or database-level compromise.

Exploitation

An attacker must first gain read access to a copy of the Nextcloud database (e.g., via a database dump, backup file, or SQL injection) [2]. The attacker can then retrieve the unencrypted client secrets from the stored OIDC configuration records. With these secrets, the attacker can perform actions that the legitimate Nextcloud server would perform towards linked OIDC providers.

Impact

Successful exploitation allows the attacker to impersonate the Nextcloud server when communicating with connected OIDC identity providers [2]. This can lead to unauthorized access to protected resources, potentially compromising the confidentiality and integrity of data exchanged between the Nextcloud instance and the OIDC provider. The attacker does not need to authenticate as a Nextcloud user or have administrative privileges in the app itself.

Mitigation

The vulnerability is fixed in user_oidc version 1.3.3, released on 2023-08-10 [1]. All users should upgrade to this version immediately. No known workarounds are available [2].