CVE-2023-39962

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm	Vendor Advisory
https://github.com/nextcloud/server/pull/39323	Patch
https://hackerone.com/reports/2047168	Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm	Vendor Advisory
https://github.com/nextcloud/server/pull/39323	Patch
https://hackerone.com/reports/2047168	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:27.0.0::::-:::
	cpe:2.3:a:nextcloud:nextcloud_server:27.0.0::::enterprise:::

History

21 Nov 2024, 08:16

Type	Values Removed	Values Added
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm - Vendor Advisory~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm - Vendor Advisory
References	~~() https://github.com/nextcloud/server/pull/39323 - Patch~~	() https://github.com/nextcloud/server/pull/39323 - Patch
References	~~() https://hackerone.com/reports/2047168 - Third Party Advisory~~	() https://hackerone.com/reports/2047168 - Third Party Advisory

16 Aug 2023, 13:54

Type	Values Removed	Values Added
References	~~(MISC) https://hackerone.com/reports/2047168 -~~	(MISC) https://hackerone.com/reports/2047168 - Third Party Advisory
References	~~(MISC) https://github.com/nextcloud/server/pull/39323 -~~	(MISC) https://github.com/nextcloud/server/pull/39323 - Patch
References	~~(MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm -~~	(MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm - Vendor Advisory
CPE		cpe:2.3:a:nextcloud:nextcloud_server:27.0.0::::-::: cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::* cpe:2.3:a:nextcloud:nextcloud_server:27.0.0::::enterprise::: cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.7
First Time		Nextcloud Nextcloud nextcloud Server

10 Aug 2023, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-10 18:15

Updated : 2024-11-21 08:16

NVD link : CVE-2023-39962

Mitre link : CVE-2023-39962

CVE.ORG link : CVE-2023-39962

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-284

Improper Access Control

7.7 /10