Vulnerability CVE-2023-39952: Information

Description

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-39952
Published: Aug. 10, 2023
Modified: Aug. 16, 2023
Error type identifier: CWE-284

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
nextcloudp1026.0.9-alt0.p10.127.1.4-alt1ALT-PU-2023-7785-2335752Fixed
nextcloudp10_e2k26.0.9-alt0.p10.127.1.4-alt1ALT-PU-2023-7955-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-cq8w-v4fh-4rjq
  • Patch
  • Vendor Advisory
https://hackerone.com/reports/1808079
  • Permissions Required
https://github.com/nextcloud/server/pull/38890
  • Patch
https://github.com/nextcloud/groupfolders/issues/1906
  • Issue Tracking
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:nextcloud:nextcloud_server:27.0.0:*:*:*:-:*:*:*
      cpe:2.3:a:nextcloud:nextcloud_server:27.0.0:*:*:*:enterprise:*:*:*
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
      Start including
      26.0.0
      End excliding
      26.0.3
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      26.0.0
      End excliding
      26.0.3
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
      Start including
      25.0.0
      End excliding
      25.0.8
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      25.0.0
      End excliding
      25.0.8
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      22.0.0
      End excliding
      22.2.10.13
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      23.0.0
      End excliding
      23.0.12.8
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      24.0.0
      End excliding
      24.0.12.4
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top