5.3

CVE-2022-39329

EPSS 0.26%
Veröffentlicht 27.10.2022 14:15:11
Zuletzt bearbeitet 21.11.2024 07:18:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Profile of disabled user stays accessible

Profile of disabled user stays accessible

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available.

Mögliche Gegenmaßnahme

Server: No workaround available

Enterprise Server: No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 7

NVD 4 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Enterprise Server Version < 23.0.9

Nextcloud ≫ Nextcloud Enterprise Server Version >= 24.0.0 < 24.0.5

Nextcloud ≫ Nextcloud Server Version < 23.0.9

Nextcloud ≫ Nextcloud Server Version >= 24.0.0 < 24.0.5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 0.0.0, < 23.0.9

Version >= 24.0.0, < 24.0.5

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 0.0.0, < 23.0.9

Version >= 24.0.0, < 24.0.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.497

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f3p-rcm5-mrg3

Third Party Advisory

https://github.com/nextcloud/server/pull/33643

Patch

Third Party Advisory

https://hackerone.com/reports/1675014

Third Party Advisory

Permissions Required

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f3p-rcm5-mrg3

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-39329

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-39329

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-39329

EUVD