Lucene search

NextcloudGHSA-W47P-F66H-H2VJ

HistoryMar 31, 2023 - 7:44 a.m.

User without download rights can download older version of that file

2023-03-3107:44:53

github.com

nextcloud

security vulnerability

uncontrolled distribution

upgrade

hackerone

pullrequest

support ticket

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

27.5%

JSON

Description

Impact

Users that should not be able to download a file can still download an older version and use that for uncontrolled distribution.

Patches

It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4
It is recommended that the Nextcloud Enterprise Server is upgraded to 24.0.10 or 25.0.4

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

github.com/nextcloud/server/pull/36113

hackerone.com/reports/1795581

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

27.5%

JSON

Related for GHSA-W47P-F66H-H2VJ