PT-2024-19394 · Nextcloud · Nextcloud Files Zip App

Nickvergessen

Published

2024-01-18

Updated

2024-01-26

CVE-2024-22404

CVSS v3.1

4.1

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud files Zip app versions prior to 1.2.1 Nextcloud files Zip app versions prior to 1.4.1 Nextcloud files Zip app versions prior to 1.5.0

Description The Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions, users can download "view-only" files by zipping the complete folder.

Recommendations For versions prior to 1.2.1, upgrade to 1.2.1 or later. For versions prior to 1.4.1, upgrade to 1.4.1 or later. For versions prior to 1.5.0, upgrade to 1.5.0 or later. As a temporary workaround, consider disabling the file zip app until a patch is available.

Exploit

Fix

Improper Preservation of Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-281

Related Identifiers

CVE-2024-22404

GHSA-VHJ3-MCH4-67FQ

Affected Products

Nextcloud Files Zip App

PT-2024-19394 · Nextcloud · Nextcloud Files Zip App

CVE-2024-22404

Weakness Enumeration

Related Identifiers

Affected Products

References · 8