CVE-2024-52521

EPSS 0.77%
Veröffentlicht 15.11.2024 17:15:22
Zuletzt bearbeitet 23.01.2025 14:52:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server has a potential hash collision for background jobs could skip queuing them

Potential hash collision for background jobs could skip queuing them

Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommended that the Nextcloud Server is upgraded to 28.0.10, 29.0.7 or 30.0.0.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 4 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 28.0.0 < 28.0.10

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 28.0.0 < 28.0.10

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 29.0.0 < 29.0.7

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 29.0.0 < 29.0.7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 28.0.0, < 28.0.10

Version >= 29.0.0, < 29.0.7

Version >= 30.0.0, < 30.0.0

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 28.0.0, < 28.0.10

Version >= 29.0.0, < 29.0.7

Version >= 30.0.0, < 30.0.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.77%	0.732

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	2.6	1.2	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE-328 Use of Weak Hash

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2q6f-gjgj-7hp4

Vendor Advisory

https://github.com/nextcloud/server/commit/a933ba1fdba77e7d8c6b8ff400e082cf853ea46d

Patch

https://github.com/nextcloud/server/pull/47769

Issue Tracking

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2q6f-gjgj-7hp4

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-52521

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52521

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52521

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-52521