CVE CyberSecurity Database News

CVE-2022-39339 - How Plaintext OIDC Credential Leaks Put Nextcloud Accounts at Risk

Poster -

user_oidc is a widely used OpenID Connect (OIDC) user backend for Nextcloud, enabling seamless SSO (Single Sign-On) integration with identity providers. On November 10, 2022, a critical security vulnerability was identified and registered as CVE-2022-39339. The flaw exposes sensitive credentials by transmitting them over HTTP in plaintext, rather than encrypting them with HTTPS. Below, we’ll walk through how this happened, possible exploitation scenarios, and concrete steps to stay secure.

What’s the Problem?

Prior to version 1.2.1, the _user_oidc_ app sent OIDC client credentials and access tokens over ordinary HTTP—unencrypted and open for anyone with the ability to sniff network traffic (such as an attacker on the same WiFi) to see. This means:

Your client ID and client secret (which identify and authenticate your app)

…could have been intercepted and exploited by malicious actors.

Example: Insecure HTTP Exchange

POST http://nextcloud.example.com/index.php/apps/user_oidc/token
Content-Type: application/x-www-form-urlencoded

client_id=my-oidc-client
&client_secret=my-secret
&grant_type=authorization_code
&code=abc123...

# This entire request, including your client_secret and code, is readable on the network!

Extract Tokens or Secrets: Read the plaintext OIDC credentials from captured packets.

3. Hijack Accounts: Use these stolen tokens/secrets to log in as the user or impersonate the OIDC client, bypassing all password protection.

Simulated Attacker’s Steps

# Start Wireshark and filter for HTTP traffic on port 80
wireshark -i eth -f "tcp port 80"

# Find POST requests to /apps/user_oidc/token
# Inspect data: client_id, client_secret, code, token

How Was This Fixed?

In version 1.2.1 and later, _user_oidc_ enforces using HTTPS. The fix checks whether the connection is encrypted; if not, it refuses to send sensitive info. Here’s what the fixed code looks like:

if (parse_url($oidcProviderUrl, PHP_URL_SCHEME) !== 'https') {
    throw new Exception('OIDC provider discovery URL must use HTTPS.');
}

Reference

- Official user_oidc changelog and CVE discussion

Install user_oidc v1.2.1 or later from the Nextcloud app store or via the command line

occ app:update user_oidc

If upgrading is not possible

- Make sure that ALL traffic to Nextcloud runs on HTTPS (get an SSL certificate from Let's Encrypt).
- In Nextcloud admin settings, for OIDC, set your provider’s discovery URL to start with https://:
 - Example: https://my-oidc-provider.com/.well-known/openid-configuration

Final Thoughts

CVE-2022-39339 is a classic example of why encrypted transport is a must for anything sensitive. If you used user_oidc before v1.2.1, assume your OIDC credentials may have been at risk and rotate your client secrets. Adopt HTTPS wherever possible—not just for your Nextcloud server, but also for your identity provider.

Further Reading

- Nextcloud Security Advisories
- user_oidc GitHub Repository
- Nextcloud Hardened Security Guidelines
- What is OpenID Connect? (Auth docs)

Timeline

Published on: 11/25/2022 19:15:00 UTC
Last modified on: 12/01/2022 20:43:00 UTC