CVE-2024-22403: 
Linux Fedora vulnerability analysis and mitigation

Nextcloud server, a self-hosted personal cloud system, was found to have a vulnerability where OAuth codes did not expire. This vulnerability (CVE-2024-22403) was discovered and disclosed in January 2024, affecting all versions prior to 28.0.0. The vulnerability impacts the authentication mechanism of the Nextcloud Server system (Vendor Advisory).

The vulnerability stems from OAuth authorization codes having no expiration time, allowing them to remain valid indefinitely. When an attacker obtains an authorization code from a user session, they could use it at any time to authenticate as that user. As of version 28.0.0, OAuth codes are now invalidated after 10 minutes and will no longer be authenticated. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (LOW) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

If exploited, this vulnerability would allow an attacker who has intercepted an OAuth code from a user session to authenticate as that user at any time, potentially leading to unauthorized access to user accounts and data. The impact is somewhat mitigated by the high complexity of the attack, requiring the attacker to first obtain the OAuth code through other means (Vendor Advisory).

The recommended mitigation is to upgrade Nextcloud Server to version 28.0.0 or later, which implements a 10-minute expiration time for OAuth codes. There are no known workarounds for this vulnerability for users who cannot upgrade (Vendor Advisory, Patch).