A vulnerability was found in Nextcloud Server up to 24.0.8 (Cloud Software). It has been declared as critical. This vulnerability affects an unknown code block. The manipulation with an unknown input leads to a permissions vulnerability. The CWE definition for the vulnerability is CWE-281. The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended. As an impact it is known to affect integrity, and availability. CVE summarizes:

Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known workarounds for this vulnerability.

The weakness was disclosed 03/28/2023 as GHSA-8v5c-f752-fgpv. The advisory is shared for download at github.com. This vulnerability was named CVE-2023-25817 since 02/15/2023. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1222.

Upgrading to version 24.0.9 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Type

• Cloud Software

Vendor

• Nextcloud

Name

• Server

Version

• 24.0.0
• 24.0.1
• 24.0.2
• 24.0.3
• 24.0.4
• 24.0.5
• 24.0.6
• 24.0.7
• 24.0.8

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion