CVE-2020-8139 — Improper Access Control in Server

CWE-284 — Improper Access Control CWE-862 — Missing Authorization7 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server Fedoraproject Fedora

Timeline

PublishedMar 20

Latest updateMay 24

Description

A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server16.0.0 — 16.0.9+2

▶CVEListV5nextcloud/nextcloud_serverFixed in 18.0.1, 17.0.4, and 16.0.9

Also affects: Fedora 32

🔴Vulnerability Details

GHSA

GHSA-3j4p-7g9x-w28j: A missing access control check in Nextcloud Server < 18↗2022-05-24

▶

CVEList

CVE-2020-8139: A missing access control check in Nextcloud Server < 18↗2020-03-20

▶

💬Community

Bugzilla

CVE-2020-8139 nextcloud: hide-download shares to be downloadable when appending /download to the URL [fedora-30]↗2020-05-21

▶

Bugzilla

CVE-2020-8139 nextcloud: hide-download shares to be downloadable when appending /download to the URL [fedora-31]↗2020-05-21

▶

Bugzilla

CVE-2020-8139 nextcloud: hide-download shares to be downloadable when appending /download to the URL↗2020-05-21

▶

Bugzilla

CVE-2020-8139 nextcloud: hide-download shares to be downloadable when appending /download to the URL [epel-7]↗2020-05-21

▶