4.3

CVE-2023-28834

Exploit

Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server from an API endpoint. By itself this information is not problematic as it can also be guessed for most common setups, but it could speed up other unknown attacks in the future if the information is known. Nextcloud Server 24.0.6 and 25.0.4 and Nextcloud Enterprise Server 23.0.11, 24.0.6, and 25.0.4 contain patches for this issue. There are no known workarounds.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudNextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.14
NextcloudNextcloud Server SwEdition- Version >= 24.0.0 < 24.0.10
NextcloudNextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.10
NextcloudNextcloud Server SwEdition- Version >= 25.0.0 < 25.0.4
NextcloudNextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.79% 0.73
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

https://github.com/nextcloud/server/issues/33883
Third Party Advisory
Exploit
Issue Tracking
https://hackerone.com/reports/1690510
Patch
Third Party Advisory
Exploit
Issue Tracking