CVE-2017-0884Incorrect Permission Assignment in Server

CWE-275CWE-732Incorrect Permission Assignment3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 72.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nextcloud Server
Timeline
PublishedApr 5
Latest updateMay 13

Description

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of folders in read-only folders despite lacking permissions issue. Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder. Note that this only affects folders and files that the adversary has at least read-only permissions for.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server10.0.010.0.2+1
CVEListV5nextcloud/nextcloud_serverAll versions before 9.0.55 and 10.0.2

Patches

Patch: nextcloud.comPatch: nextcloud.com

🔴Vulnerability Details

2
GHSA
GHSA-w44g-m97f-qr3p: Nextcloud Server before 92022-05-13
CVEList
CVE-2017-0884: Nextcloud Server before 92017-04-05
CVE-2017-0884 — Incorrect Permission Assignment | cvebase