PT-2024-4383 · Nextcloud+2 · Nextcloud Server+3
Fernandoenzo
·
Published
2024-06-14
·
Updated
2025-01-24
·
CVE-2024-37882
CVSS v2.0
8.5
High
| Vector | AV:N/AC:L/Au:S/C:N/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 26.0.13
Nextcloud Server versions prior to 27.1.8
Nextcloud Server versions prior to 28.0.4
Nextcloud Enterprise Server versions prior to 26.0.13
Nextcloud Enterprise Server versions prior to 27.1.8
Nextcloud Enterprise Server versions prior to 28.0.4
Description
A recipient of a share with read and share permissions could reshare the item with more permissions. This issue is related to the sending of requests to delete old versions of files that could only be obtained with read permissions. Exploitation of this issue may allow a remote attacker to impact data integrity or cause a denial of service.
Recommendations
For Nextcloud Server versions prior to 26.0.13, upgrade to version 26.0.13 or later.
For Nextcloud Server versions prior to 27.1.8, upgrade to version 27.1.8 or later.
For Nextcloud Server versions prior to 28.0.4, upgrade to version 28.0.4 or later.
For Nextcloud Enterprise Server versions prior to 26.0.13, upgrade to version 26.0.13 or later.
For Nextcloud Enterprise Server versions prior to 27.1.8, upgrade to version 27.1.8 or later.
For Nextcloud Enterprise Server versions prior to 28.0.4, upgrade to version 28.0.4 or later.
Exploit
Fix
Improper Access Control
Improper Preservation of Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Nextcloud Enterprise Server
Nextcloud Server
Red Os