CVE-2024-52514

Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 or 29.0.0.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xj
https://github.com/nextcloud/server/commit/5fffbcfe8650eab75b00e8d188fbc95b0e43f3a8
https://github.com/nextcloud/server/pull/44889
https://hackerone.com/reports/2447316

Configurations

No configuration.

History

18 Nov 2024, 17:11

Type	Values Removed	Values Added
Summary		(es) Nextcloud Server es un sistema de nube personal alojado por uno mismo. Después de que un usuario reciba un recurso compartido con algunos archivos dentro que están bloqueados por el control de acceso a archivos, el usuario aún podrá copiar la carpeta intermedia dentro de Nextcloud, lo que le permitirá acceder potencialmente a los archivos bloqueados después, según las reglas de control de acceso del usuario. Se recomienda que Nextcloud Server se actualice a 27.1.9, 28.0.5 o 29.0.0 y que Nextcloud Enterprise Server se actualice a 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 o 29.0.0.

15 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 18:15

Updated : 2024-11-18 17:11

NVD link : CVE-2024-52514

Mitre link : CVE-2024-52514

CVE.ORG link : CVE-2024-52514

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

{"id": "CVE-2024-52514", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.3}]}, "published": "2024-11-15T18:15:30.370", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xj", "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/server/commit/5fffbcfe8650eab75b00e8d188fbc95b0e43f3a8", "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/server/pull/44889", "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/2447316", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 or 29.0.0."}, {"lang": "es", "value": "Nextcloud Server es un sistema de nube personal alojado por uno mismo. Despu\u00e9s de que un usuario reciba un recurso compartido con algunos archivos dentro que est\u00e1n bloqueados por el control de acceso a archivos, el usuario a\u00fan podr\u00e1 copiar la carpeta intermedia dentro de Nextcloud, lo que le permitir\u00e1 acceder potencialmente a los archivos bloqueados despu\u00e9s, seg\u00fan las reglas de control de acceso del usuario. Se recomienda que Nextcloud Server se actualice a 27.1.9, 28.0.5 o 29.0.0 y que Nextcloud Enterprise Server se actualice a 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 o 29.0.0."}], "lastModified": "2024-11-18T17:11:56.587", "sourceIdentifier": "security-advisories@github.com"}