PT-2023-9699 · Nextcloud+1 · Nextcloud Enterprise Server+2
Maccs
·
Published
2023-11-21
·
Updated
2025-10-01
·
CVE-2024-52514
CVSS v3.1
4.1
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 27.1.9
Nextcloud Server versions prior to 28.0.5
Nextcloud Server versions prior to 29.0.0
Nextcloud Enterprise Server versions prior to 21.0.9.18
Nextcloud Enterprise Server versions prior to 22.2.10.23
Nextcloud Enterprise Server versions prior to 23.0.12.18
Nextcloud Enterprise Server versions prior to 24.0.12.14
Nextcloud Enterprise Server versions prior to 25.0.13.9
Nextcloud Enterprise Server versions prior to 26.0.13.3
Description
The issue is related to incorrect access control in Nextcloud Server, allowing a remote attacker to access confidential information. Specifically, after a user receives a share with blocked files, they can still copy the intermediate folder, potentially accessing the blocked files depending on user access control rules.
Recommendations
Upgrade Nextcloud Server to version 27.1.9 or later.
Upgrade Nextcloud Server to version 28.0.5 or later.
Upgrade Nextcloud Server to version 29.0.0 or later.
Upgrade Nextcloud Enterprise Server to version 21.0.9.18 or later.
Upgrade Nextcloud Enterprise Server to version 22.2.10.23 or later.
Upgrade Nextcloud Enterprise Server to version 23.0.12.18 or later.
Upgrade Nextcloud Enterprise Server to version 24.0.12.14 or later.
Upgrade Nextcloud Enterprise Server to version 25.0.13.9 or later.
Upgrade Nextcloud Enterprise Server to version 26.0.13.3 or later.
As a temporary workaround, consider restricting access to shared folders with blocked files until the upgrade is applied.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud Enterprise Server
Nextcloud Server
Red Os