PT-2022-23162 · Nextcloud+1 · Nextcloud Server+2
Nickvergessen
+1
·
Published
2022-08-26
·
Updated
2023-07-21
·
CVE-2022-36074
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 23.0.7
Nextcloud Server versions prior to 24.0.3
Nextcloud Enterprise Server versions prior to 22.2.11
Nextcloud Enterprise Server versions prior to 23.0.7
Nextcloud Enterprise Server versions prior to 24.0.3
Description
The Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the
Authorization header on HTTP downgrade. This can lead to account access exposure and compromise.Recommendations
For Nextcloud Server versions prior to 23.0.7, upgrade to 23.0.7 or 24.0.3.
For Nextcloud Server versions prior to 24.0.3, upgrade to 24.0.3.
For Nextcloud Enterprise Server versions prior to 22.2.11, upgrade to 22.2.11, 23.0.7 or 24.0.3.
For Nextcloud Enterprise Server versions prior to 23.0.7, upgrade to 23.0.7 or 24.0.3.
For Nextcloud Enterprise Server versions prior to 24.0.3, upgrade to 24.0.3.
As a temporary workaround, consider disabling the use of the
Authorization header in HTTP downgrades until a patch is available.Exploit
Fix
Incorrect Authorization
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Nextcloud Enterprise Server
Nextcloud Server