Уязвимость CVE-2023-48239: Информация

Описание

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server, a malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud Server 25.0.13, 26.0.8, and 27.1.3 and Nextcloud Enterprise Server is upgraded to 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 contain a patch for this issue. As a workaround, disable app files_external. This workaround also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.

Важность: HIGH (7,1) Вектор: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-48239
Опубликовано: 22 ноября 2023 г.
Изменено: 29 ноября 2023 г.

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
nextcloudsisyphus27.1.4-alt127.1.4-alt1ALT-PU-2023-7786-2331928Исправлено
nextcloudsisyphus_e2k27.1.4-alt127.1.4-alt1ALT-PU-2023-8114-1-Исправлено
nextcloudsisyphus_loongarch6427.1.4-alt127.1.4-alt1ALT-PU-2023-8099-1-Исправлено
nextcloudp1026.0.9-alt0.p10.127.1.4-alt1ALT-PU-2023-7785-2335752Исправлено
nextcloudp10_e2k26.0.9-alt0.p10.127.1.4-alt1ALT-PU-2023-7955-1-Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267
  • Vendor Advisory
https://github.com/nextcloud/server/pull/41123
  • Patch
https://hackerone.com/reports/2212627
  • Exploit

    1. Конфигурация 1

      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      21.0.0
      End excliding
      21.0.9.13
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
      Start including
      27.0.0
      End excliding
      27.1.3
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
      Start including
      26.0.0
      End excliding
      26.0.8
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
      Start including
      25.0.0
      End excliding
      25.0.13
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      27.0.0
      End excliding
      27.1.3
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      26.0.0
      End excliding
      26.0.8
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      25.0.0
      End excliding
      25.0.13
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      24.0.0
      End excliding
      24.0.12.8
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      23.0.0
      End excliding
      23.0.12.12
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      22.0.0
      End excliding
      22.2.10.15
      cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
      Start including
      20.0.0
      End excliding
      20.0.14.16
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Версия: v24.4.2
Наверх