Nextcloud Server < 23.0.12, 24.x < 24.0.8, 25.x < 25.0.2 Path Traversal Vulnerability (GHSA-273v-9h7x-p68v)

2023-02-2300:00:00

plugins.openvas.org

nextcloud

path traversal

vulnerability

ghsa-273v-9h7x-p68v

cpe

cve-2023-25579

remote_banner

vendorfix

greenbone ag

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

39.8%

JSON

Nextcloud Server is prone to a path traversal vulnerability.

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later

CPE = "cpe:/a:nextcloud:nextcloud_server";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.126359");
  script_version("2023-10-13T05:06:10+0000");
  script_tag(name:"last_modification", value:"2023-10-13 05:06:10 +0000 (Fri, 13 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-02-23 11:44:52 +0000 (Thu, 23 Feb 2023)");
  script_tag(name:"cvss_base", value:"7.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-03-03 15:09:00 +0000 (Fri, 03 Mar 2023)");

  script_cve_id("CVE-2023-25579");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Nextcloud Server < 23.0.12, 24.x < 24.0.8, 25.x < 25.0.2 Path Traversal Vulnerability (GHSA-273v-9h7x-p68v)");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("General");
  script_dependencies("gb_nextcloud_detect.nasl");
  script_mandatory_keys("nextcloud/installed");

  script_tag(name:"summary", value:"Nextcloud Server is prone to a path traversal vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"impact", value:"OC\Files\Node\Folder:getFullPath() is validating and normalizing
  the string in the wrong order. The function seems to be used in newFile() and newFolder() items,
  allowing to create paths outside of ones own space and overwriting data from other users.");

  script_tag(name:"affected", value:"Nextcloud Server versions prior to 23.0.12, version 24.x prior
  to 24.0.8 and version 25.x prior to 25.0.2.");

  script_tag(name:"solution", value:"Update to version 23.0.12, 24.0.8, 25.0.2 or later.");

  script_xref(name:"URL", value:"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-273v-9h7x-p68v");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (!port = get_app_port(cpe: CPE))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_is_less(version: version, test_version: "23.0.12")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "23.0.12", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "24.0", test_version_up: "24.0.8")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "24.0.8", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

if (version_in_range_exclusive(version: version, test_version_lo: "25.0", test_version_up: "25.0.2")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "25.0.2", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);