Access Control Flaw in Nextcloud Server Allows Unauthorized File Copying
CVE-2024-52514

Currently unrated

Key Information:

Vendor: Nextcloud
Status: Nextcloud Server
Vendor: CVE Published:; 15 November 2024

What is CVE-2024-52514?

A vulnerability has been identified in Nextcloud Server, which allows users to copy folders that contain files restricted by access control settings. Specifically, when a user is granted access to a folder with files that are blocked, they can still copy the intermediate folder structure. This flaw may grant the user unintended access to blocked files based on the access control rules defined. To mitigate this vulnerability, it is crucial for users to upgrade their Nextcloud Server to one of the patched versions: 27.1.9, 28.0.5, or 29.0.0, and for Nextcloud Enterprise Server to be updated to versions 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5, or 29.0.0.

References

https://github.com/nextcloud/security-advisories/security...

https://github.com/nextcloud/server/pull/44889

https://github.com/nextcloud/server/commit/5fffbcfe8650ea...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024