Information disclosure

2023-04-0317:15:00

PRIOn knowledge base

www.prio-n.com

nextcloud

server

information

disclosure

vulnerability

api endpoint

data directory

patch

nvd

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.1%

JSON

Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server from an API endpoint. By itself this information is not problematic as it can also be guessed for most common setups, but it could speed up other unknown attacks in the future if the information is known. Nextcloud Server 24.0.6 and 25.0.4 and Nextcloud Enterprise Server 23.0.11, 24.0.6, and 25.0.4 contain patches for this issue. There are no known workarounds.

CPENameOperatorVersion
nextcloud_serverge25.0.0
nextcloud_serverlt25.0.4
nextcloud_serverge24.0.0
nextcloud_serverlt24.0.10
nextcloud_serverge24.0.0
nextcloud_serverlt24.0.10
nextcloud_serverge25.0.0
nextcloud_serverlt25.0.4
nextcloud_serverge23.0.0
nextcloud_serverlt23.0.14

Name	Operator	Version
nextcloud_server	ge	25.0.0
nextcloud_server	lt	25.0.4
nextcloud_server	ge	24.0.0
nextcloud_server	lt	24.0.10
nextcloud_server	ge	24.0.0
nextcloud_server	lt	24.0.10
nextcloud_server	ge	25.0.0
nextcloud_server	lt	25.0.4
nextcloud_server	ge	23.0.0
nextcloud_server	lt	23.0.14