Lucene search

NextcloudGHSA-PWJV-H37V-C4FX

HistoryMay 20, 2022 - 8:09 a.m.

Bypass of password requirements when sharing a folder via the Circles app

2022-05-2008:09:47

github.com

nextcloud

circles app

link sharing

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

33.0%

JSON

Description

Impact

A user can create an link that is not password protected even if this is forced by the administrator.

Patches

It is recommended that the Nextcloud Server is upgraded to 22.2.6 or 23.0.3

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

github.com/nextcloud/circles/pull/866

github.com/nextcloud/circles/pull/926

hackerone.com/reports/1406926

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

33.0%

JSON

Related for GHSA-PWJV-H37V-C4FX