CVE-2023-49792

2023-12-2217:15:08

Google

osv.dev

nextcloud

server

enterprise

versions

proxy

security issue

patch

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.0%

JSON

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

CPENameOperatorVersion
servereq26.0.1
servereq26.0.3rc2
servereq26.0.9rc1
servereq26.0.2
servereq26.0.8rc1
servereq26.0.6rc1
servereq26.0.4
servereq26.0.3
servereq26.0.4rc1
servereq26.0.5

Name	Operator	Version
server	eq	26.0.1
server	eq	26.0.3rc2
server	eq	26.0.9rc1
server	eq	26.0.2
server	eq	26.0.8rc1
server	eq	26.0.6rc1
server	eq	26.0.4
server	eq	26.0.3
server	eq	26.0.4rc1
server	eq	26.0.5