Nextcloud user_oidc's ID4me does not validate signature or expiration

Vulnerability

The user_oidc app for Nextcloud fails to validate the signature and expiration of ID4me OpenID Connect tokens [1]. This vulnerability affects versions prior to 1.3.5. An attacker can craft a malicious token that the app accepts as valid without proper cryptographic verification [1].

Exploitation

An attacker can send a request containing a forged ID4me token to a Nextcloud instance running an affected version. No prior authentication is needed; the attacker only needs network access to the Nextcloud server [1]. The app will process the token as if it came from a trusted OpenID provider.

Impact

Successful exploitation allows the attacker to bypass authentication and gain access to the Nextcloud instance as any user they impersonate via the forged token [1]. This can lead to unauthorized data access, privilege escalation, and further compromise of the system.

Mitigation

The issue is fixed in versions 1.3.5, 2.0.0, 3.0.0, 4.0.0, and 5.0.0 [1]. Users should upgrade to one of these versions immediately. No workaround is available [1]. The fix improves ID4me token validation in pull request #715 [2].