CVE-2022-36075

Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access Control app is upgraded to 1.12.2, 1.13.1 or 1.14.1. There are no known workarounds for this issue

CVSS v3 2.6 LOW

2.6^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.0 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/nextcloud/files_accesscontrol/pull/248	Patch Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w	Third Party Advisory
https://github.com/nextcloud/files_accesscontrol/pull/248	Patch Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:files_access_control::::::::
	cpe:2.3:a:nextcloud:files_access_control:1.13.0:::::::*
	cpe:2.3:a:nextcloud:files_access_control:1.14.0:::::::*

History

21 Nov 2024, 07:12

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 2.6
References	~~() https://github.com/nextcloud/files_accesscontrol/pull/248 - Patch, Third Party Advisory~~	() https://github.com/nextcloud/files_accesscontrol/pull/248 - Patch, Third Party Advisory
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w - Third Party Advisory~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w - Third Party Advisory

Information

Published : 2022-09-15 22:15

Updated : 2024-11-21 07:12

NVD link : CVE-2022-36075

Mitre link : CVE-2022-36075

CVE.ORG link : CVE-2022-36075

JSON object : View

Products Affected

nextcloud

files_access_control

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-269

Improper Privilege Management

{"id": "CVE-2022-36075", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-09-15T22:15:11.387", "references": [{"url": "https://github.com/nextcloud/files_accesscontrol/pull/248", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/files_accesscontrol/pull/248", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access Control app is upgraded to 1.12.2, 1.13.1 or 1.14.1. There are no known workarounds for this issue"}, {"lang": "es", "value": "Nextcloud files access control es una aplicaci\u00f3n de nextcloud para administrar el control de acceso a archivos. Los usuarios con acceso limitado pueden visualizar los nombres de los archivos en determinados casos en los que no presentan privilegios para hacerlo. Este problema ha sido abordado y es recomendado actualizar la aplicaci\u00f3n Nextcloud Files Access Control a versiones 1.12.2, 1.13.1 o 1.14.1. No se presentan mitigaciones conocidas para este problema"}], "lastModified": "2024-11-21T07:12:19.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:files_access_control:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "716CEADA-BD5C-405E-876E-A8CD5E8AE41C", "versionEndExcluding": "1.12.2"}, {"criteria": "cpe:2.3:a:nextcloud:files_access_control:1.13.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8CA8DA50-4BC3-473D-BB0B-77174B7C7516"}, {"criteria": "cpe:2.3:a:nextcloud:files_access_control:1.14.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "545DD0A9-E241-481E-969D-C1CF03B2EA52"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}