PT-2023-2472 · Nextcloud+2 · Nextcloud Server+2

Nickvergessen

·

Publicado

2023-03-27

·

Atualizado

2023-04-18

·

CVE-2023-26482

CVSS v3.1

9.0

Crítica

VetorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4
Description The issue is related to a missing scope validation in the Nextcloud server, allowing users to create workflows designed for administrators only. Some workflows can lead to remote code execution (RCE) by invoking scripts, generating PDFs, or running scripts on the server. The combination of available apps can result in RCE.
Recommendations For Nextcloud Server versions prior to 24.0.10, upgrade to 24.0.10. For Nextcloud Server versions prior to 25.0.4, upgrade to 25.0.4. For users unable to upgrade, disable the workflow scripts and workflow pdf converter apps as a mitigation.

Exploit

Correção

RCE

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78

Identificadores relacionados

ALT-PU-2023-1517
ALT-PU-2023-1547
BDU:2023-02262
CVE-2023-26482
GHSA-H3C9-CMH8-7QPJ

Produtos afetados

Alt Linux
Nextcloud Server
Red Os