Описание
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist.
Ссылки
- Third Party Advisory
- Permissions RequiredThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- Permissions RequiredThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 19.0.11 (исключая)Версия от 20.0.0 (включая) до 20.0.10 (исключая)Версия от 21.0.0 (включая) до 21.0.2 (исключая)
Одно из
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
EPSS
Процентиль: 53%
0.00308
Низкий
3.5 Low
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-241
NVD-CWE-Other
Связанные уязвимости
CVSS3: 3.5
debian
около 4 лет назад
Nextcloud Server is a Nextcloud package that handles data storage. In ...
EPSS
Процентиль: 53%
0.00308
Низкий
3.5 Low
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-241
NVD-CWE-Other