PT-2023-20176 · Nextcloud+1 · Nextcloud+1

Nickvergessen

Publicado

2023-01-16

Atualizado

2023-04-03

CVE-2023-25579

CVSS v3.1

6.0

Média

Vetor

AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Nextcloud server versions prior to 25.0.2 Nextcloud server versions prior to 24.0.8 Nextcloud server versions prior to 23.0.12

Description The issue concerns the OCFilesNodeFolder::getFullPath() function, which was validating and normalizing strings in the wrong order. This function is used in the newFile() and newFolder() items, potentially allowing the creation of paths outside of one's own space and overwriting data from other users with crafted paths.

Recommendations For versions prior to 25.0.2, upgrade to version 25.0.2 or later. For versions prior to 24.0.8, upgrade to version 24.0.8 or later. For versions prior to 23.0.12, upgrade to version 23.0.12 or later.

Exploit

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

ALT-PU-2023-1055

ALT-PU-2023-1176

CVE-2023-25579

GHSA-273V-9H7X-P68V

OPENSUSE-SU-2023:0083-1

Produtos afetados

Alt Linux

Nextcloud

PT-2023-20176 · Nextcloud+1 · Nextcloud+1

CVE-2023-25579

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13