8.8

CVE-2023-28643

Exploit

Potential share collision for recipients when caching is enabled in nextcloud server

Potential share collision for recipients when caching is enabled

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user.
Mögliche Gegenmaßnahme
Server: Avoid sharing 2 folders with the same name to the same user.
Enterprise Server: Avoid sharing 2 folders with the same name to the same user.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudNextcloud Server SwEdition- Version >= 24.0.0 < 24.0.9
NextcloudNextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.9
NextcloudNextcloud Server SwEdition- Version >= 25.0.0 < 25.0.3
NextcloudNextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud
Produkt Server
Version >= 24.0.0, < 24.0.9
Version >= 25.0.0, < 25.0.3
SystemNextcloud
Produkt Enterprise Server
Version >= 24.0.0, < 24.0.9
Version >= 25.0.0, < 25.0.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.66% 0.711
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 5.5 2.1 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.