Nextcloud Server Update: Upgrade to Improve Security and Stability
CVE-2024-37882

8.1HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
14 June 2024

What is CVE-2024-37882?

A vulnerability in the Nextcloud Server allows users who have been granted read&share permissions on shared items to reshare those items, potentially with additional privileges. This unauthorized escalation of permissions can lead to unintended data exposure and compromise the intended access controls. To address this vulnerability, it is essential that users upgrade to the secure versions: Nextcloud Server 26.0.13, 27.1.8, or 28.0.4, as well as the respective versions for the Nextcloud Enterprise Server. Failing to do so may expose sensitive data to unauthorized users.

Affected Version(s)

security-advisories >= 26.0.0, < 26.0.13 < 26.0.0, 26.0.13

security-advisories >= 27.0.0, < 27.1.8 < 27.0.0, 27.1.8

security-advisories >= 28.0.0, < 28.0.4 < 28.0.0, 28.0.4

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/server/pull/44339
x_refsource_MISC
https://hackerone.com/reports/2289425
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.