CVE-2019-15621

Published: Feb 4, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.

Affected (3)

Products: Nextcloud: Nextcloud Server

Nextcloud

1 product

Nextcloud Server

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Nextcloud Server	Before 14.0.13
Nextcloud Nextcloud Server	From 15.0.0 to 15.0.9
Nextcloud Nextcloud Server	From 16.0.0 to 16.0.2

Related CWEs

CWE-281

Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

References (8)

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html

Source: support@hackerone.com

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html

Source: support@hackerone.com

https://hackerone.com/reports/619484

Source: support@hackerone.com

Permissions Required

https://nextcloud.com/security/advisory/?id=NC-SA-2020-012

Source: support@hackerone.com

Vendor Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://hackerone.com/reports/619484

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://nextcloud.com/security/advisory/?id=NC-SA-2020-012

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.