CVE-2022-36074

2022-09-1522:15:11

Google

osv.dev

nextcloud

vulnerability

account access

upgrade

information exposure

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.8%

JSON

Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

CPENameOperatorVersion
servereq23.0.0
servereq23.0.1
servereq23.0.6
servereq23.0.1rc2
servereq23.0.4
servereq23.0.5rc1
servereq23.0.7rc2
servereq23.0.4rc1
servereq23.0.5
servereq23.0.3rc1

Name	Operator	Version
server	eq	23.0.0
server	eq	23.0.1
server	eq	23.0.6
server	eq	23.0.1rc2
server	eq	23.0.4
server	eq	23.0.5rc1
server	eq	23.0.7rc2
server	eq	23.0.4rc1
server	eq	23.0.5
server	eq	23.0.3rc1