CVE-2024-37317

The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/notes/pull/1260	Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx	Third Party Advisory
https://hackerone.com/reports/2254151	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:notes:*:*:*:*:*:nextcloud:*:*

History

19 Aug 2024, 15:42

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nextcloud:notes::::::nextcloud::*
CWE		CWE-862
First Time		Nextcloud notes Nextcloud
References	~~() https://github.com/nextcloud/notes/pull/1260 -~~	() https://github.com/nextcloud/notes/pull/1260 - Patch
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx - Third Party Advisory
References	~~() https://hackerone.com/reports/2254151 -~~	() https://hackerone.com/reports/2254151 - Issue Tracking

17 Jun 2024, 12:42

Type	Values Removed	Values Added
Summary		(es) La aplicación Nextcloud Notes es una aplicación para tomar notas sin distracciones para Nextcloud. Si un atacante lograba compartir una carpeta llamada `Notas/` con un usuario recién creado antes de iniciar sesión, la aplicación Notas usaría esa carpeta para almacenar las notas personales. Se recomienda actualizar la aplicación Nextcloud Notes a 4.9.3.

14 Jun 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-14 16:15

Updated : 2024-08-19 15:42

NVD link : CVE-2024-37317

Mitre link : CVE-2024-37317

CVE.ORG link : CVE-2024-37317

JSON object : View

Products Affected

nextcloud

notes

CWE

CWE-862

Missing Authorization

CWE-284

Improper Access Control

{"id": "CVE-2024-37317", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.2}]}, "published": "2024-06-14T16:15:11.960", "references": [{"url": "https://github.com/nextcloud/notes/pull/1260", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/2254151", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3."}, {"lang": "es", "value": "La aplicaci\u00f3n Nextcloud Notes es una aplicaci\u00f3n para tomar notas sin distracciones para Nextcloud. Si un atacante lograba compartir una carpeta llamada `Notas/` con un usuario reci\u00e9n creado antes de iniciar sesi\u00f3n, la aplicaci\u00f3n Notas usar\u00eda esa carpeta para almacenar las notas personales. Se recomienda actualizar la aplicaci\u00f3n Nextcloud Notes a 4.9.3."}], "lastModified": "2024-08-19T15:42:54.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:notes:*:*:*:*:*:nextcloud:*:*", "vulnerable": true, "matchCriteriaId": "E2A24E4C-43C7-4799-9C22-8CD82C579B49", "versionEndExcluding": "4.9.3", "versionStartIncluding": "4.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}