CVE-2023-25817

Published: Mar 27, 2023Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known workarounds for this vulnerability.

Affected (1)

Products: Nextcloud: Nextcloud Server

1 product

Nextcloud Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Nextcloud Server	From 24.0.0 to 24.0.9

Related CWEs

Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8v5c-f752-fgpv

Source: security-advisories@github.com

PatchVendor Advisory

https://github.com/nextcloud/server/pull/33941

Source: security-advisories@github.com

Patch

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8v5c-f752-fgpv

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://github.com/nextcloud/server/pull/33941

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.