PT-2017-10155 · Nextcloud · Nextcloud Server

Dalt4Sec

Published

2017-03-28

Updated

2019-10-09

CVE-2016-9464

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 9.0.54 Nextcloud Server version 10.0.0

Description The issue arises from an improper authorization check on removing shares. Specifically, the Sharing Backend in Nextcloud differentiates between shares to users and groups. In the case of a received group share, users should be able to unshare the file to themselves but not to the whole group. However, the previous API implementation simply unshared the file to all users in the group.

Recommendations For Nextcloud Server versions prior to 9.0.54, update to version 9.0.54 or later to resolve the issue. For Nextcloud Server version 10.0.0, update to a version later than 10.0.0 to resolve the issue.

Exploit

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

CVE-2016-9464

Affected Products

Nextcloud Server

PT-2017-10155 · Nextcloud · Nextcloud Server

CVE-2016-9464

Weakness Enumeration

Related Identifiers

Affected Products

References · 10