cbcvebase.
CVE-2022-24888
published 2022-04-27

CVE-2022-24888: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is…

PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
1.23%
65.2th percentile
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection. This issue is fixed in versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1. There are currently no known workarounds.

Affected

8 ranges
VendorProductVersion rangeFixed in
nextcloudnextcloud_server< 20.0.14.420.0.14.4
nextcloudnextcloud_server>= 21.0.0 < 21.0.821.0.8
nextcloudnextcloud_server>= 22.0.0 < 22.2.422.2.4
nextcloudnextcloud_server>= 23.0.0 < 23.0.123.0.1
nextcloudsecurity-advisories< 21.0.821.0.8
nextcloudsecurity-advisories< 22.2.422.2.4
nextcloudsecurity-advisories< 23.0.123.0.1
nextcloudsecurity-advisories

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.