Nextcloud Server users can make external storage mount points inaccessible for other users
CVE-2023-48239

8.5HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
21 November 2023

What is CVE-2023-48239?

Nextcloud Server, an open-source cloud solution, has a vulnerability that allows malicious users to modify personal and global external storage settings, rendering them inaccessible to all other users. This issue affects Nextcloud Server versions before 25.0.13 and Nextcloud Enterprise Server versions prior to 20.0.14.16, among others. To mitigate the risk, it's recommended to upgrade to patched versions, or alternatively, disable the affected external storage application, albeit at the cost of accessibility.

Affected Version(s)

security-advisories >= 25.0.0, < 25.0.13 < 25.0.0, 25.0.13

security-advisories >= 26.0.0, < 26.0.8 < 26.0.0, 26.0.8

security-advisories >= 27.0.0, < 27.1.3 < 27.0.0, 27.1.3

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/41123
x_refsource_MISC
https://hackerone.com/reports/2212627
x_refsource_MISC

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.