PT-2017-3590 · Nextcloud+1 · Nextcloud+1
Ludwig Nussel
·
Published
2017-04-28
·
Updated
2019-10-09
·
CVE-2017-9286
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
NextCloud versions (affected versions not specified)
Description:
The issue is related to insufficient access control in the NextCloud platform on the OpenSUSE Leap operating system. It allows a remote attacker to gain root privileges during a NextCloud package upgrade by exploiting scripts running as the wwwrun user, specifically those located in the /srv/www/htdocs directory.
Recommendations:
For all affected versions, consider restricting access to the /srv/www/htdocs directory to minimize the risk of exploitation.
As a temporary workaround, consider disabling the execution of scripts in the /srv/www/htdocs directory until a patch is available.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud
Opensuse Leap