CVE-2024-37882

EPSS 0.32%
Veröffentlicht 14.06.2024 16:15:12
Zuletzt bearbeitet 21.11.2024 09:24:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server can reshare read&share only folder with more permissions

Can reshare read&share only folder with more permissions

Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 9 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 26.0.0 < 26.0.13

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 27.0.0 < 27.1.8

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 28.0.0 < 28.0.4

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.12.17

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.12.13

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.13.8

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.13

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 27.0.0 < 27.1.8

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 28.0.0 < 28.0.4

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 28.0.0, < 28.0.4

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 28.0.0, < 28.0.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.545

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq

Vendor Advisory

https://github.com/nextcloud/server/pull/44339

Patch

https://hackerone.com/reports/2289425

Issue Tracking

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-37882

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-37882

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-37882

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-37882