← Back

CVE-2023-26482

nvd nist
Published: Mar 30, 2023Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.

Affected (8)

Nextcloud
1 product
Nextcloud Server
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Nextcloud
Nextcloud Server
From 24.0.0 to 24.0.10
Nextcloud Server
From 25.0.0 to 25.0.4
Nextcloud Server
From 18.0.0 to 20.0.14.12
Nextcloud Server
From 21.0.0 to 21.0.9.10
Nextcloud Server
From 22.0.0 to 22.2.10.10
Nextcloud Server
From 23.0.0 to 23.0.12.5
Nextcloud Server
From 24.0.0 to 24.0.10
Nextcloud Server
From 25.0.0 to 25.0.4

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Patch

Timeline

No history available yet.