PT-2023-2471 · Nextcloud+2 · Nextcloud Server+2
Aslfvo
·
Published
2023-01-23
·
Updated
2023-04-18
·
CVE-2023-28643
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 24.0.9
Nextcloud Server versions prior to 25.0.3
Description
The issue is related to the handling of shared resources with the same name in Nextcloud Server, particularly when a memory cache is configured. If a recipient receives two shares with the same name, the second share will replace the first one instead of being renamed to
{name} (2). This can lead to a denial of service. The vulnerability can be exploited by a remote attacker to cause a collision of shared resources for recipients when caching is enabled.Recommendations
For Nextcloud Server versions prior to 24.0.9, upgrade to version 24.0.9.
For Nextcloud Server versions prior to 25.0.3, upgrade to version 25.0.3.
As a temporary workaround for users unable to upgrade, avoid sharing two folders with the same name to the same user.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Nextcloud Server
Red Os