5.9

CVE-2024-52517

EPSS 0.75%
Veröffentlicht 15.11.2024 17:15:21
Zuletzt bearbeitet 06.01.2025 20:58:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server's global credentials of external storages are sent back to the frontend

Global credentials of external storages are sent back to the frontend

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 9 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.13.13

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.13.9

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 27.0.0 < 27.1.11.9

Nextcloud ≫ Nextcloud Server Version >= 28.0.0 < 28.0.11

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 28.0.0 < 28.0.11

Nextcloud ≫ Nextcloud Server Version >= 29.0.0 < 29.0.8

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 29.0.0 < 29.0.8

Nextcloud ≫ Nextcloud Server Version >= 30.0.0 < 30.0.1

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 30.0.0 < 30.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 28.0.0, < 28.0.11

Version >= 29.0.0, < 29.0.8

Version >= 30.0.0, < 30.0.1

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 25.0.0, < 25.0.13.13

Version >= 26.0.0, < 26.0.13.9

Version >= 27.0.0, < 27.1.11.9

Version >= 28.0.0, < 28.0.11

Version >= 29.0.0, < 29.0.8

Version >= 30.0.0, < 30.0.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.75%	0.73

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	4.6	0.2	4	CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x9q3-c7f8-3rcg

Vendor Advisory

https://github.com/nextcloud/server/commit/c45ed55f959ff54f3ea23dd2ae1a5868a075c9fe

Patch

https://github.com/nextcloud/server/pull/48359

Issue Tracking

https://hackerone.com/reports/2554079

Issue Tracking

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x9q3-c7f8-3rcg

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-52517

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52517

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52517

EUVD