CVE-2023-49790: 
NixOS vulnerability analysis and mitigation

The Nextcloud iOS Files app, which allows users to interact with Nextcloud (a self-hosted productivity platform), was found to contain a security vulnerability (CVE-2023-49790) where users could bypass the 4-digit PIN code authentication prior to version 4.9.2. This vulnerability was disclosed in December 2023 and affected all versions of the Nextcloud iOS Files app before version 4.9.2 (Nextcloud Advisory).

The vulnerability has been classified with a CVSS v3.1 base score of 4.3 (Medium), with the following vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is categorized as CWE-287 (Improper Authentication), indicating a fundamental authentication bypass issue. The physical attack vector (AV:P) suggests that physical access to the device is required to exploit the vulnerability (NVD).

The vulnerability allows unauthorized access to the application's functionality without providing the required 4-digit PIN code, potentially exposing user data and functionality to anyone with physical access to the device. This results in low-level impacts to confidentiality, integrity, and availability of the protected resources (Nextcloud Advisory).

The vulnerability has been patched in Nextcloud iOS Files app version 4.9.2. Users are strongly advised to upgrade to this version or later. No alternative workarounds are available for this vulnerability (Nextcloud Advisory).