CVE-2024-22402

Published: Jan 18, 2024Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability.

Affected (3)

Products: Nextcloud: Guests

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Guests	Before 2.4.1
Nextcloud Guests	Version 2.5.0
Nextcloud Guests	Version 3.0.0

Related CWEs

Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

References (6)

https://github.com/nextcloud/guests/pull/1082

Source: security-advisories@github.com

PatchVendor Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v3qw-7vgv-2fxj

Source: security-advisories@github.com

Vendor Advisory

https://hackerone.com/reports/2251074

Source: security-advisories@github.com

Permissions RequiredThird Party Advisory

https://github.com/nextcloud/guests/pull/1082

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v3qw-7vgv-2fxj

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://hackerone.com/reports/2251074

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

Timeline

No history available yet.