CVE-2023-28643

Exploit

EPSS 0.56%
Published 30.03.2023 19:15:06
Last modified 21.11.2024 07:55:43
Source security-advisories@github.com
Teams watchlist Login
Open Login

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 24.0.0 < 24.0.9

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.9

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 25.0.0 < 25.0.3

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.56%	0.672

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.5	2.1	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhq4-4pr8-wm27

Vendor Advisory

https://github.com/nextcloud/server/issues/34015

Exploit

Issue Tracking

https://github.com/nextcloud/server/pull/36047

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-28643

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28643

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28643

EUVD