CVE-2022-39211 — Server-Side Request Forgery in Security-advisories

CWE-918 — Server-Side Request Forgery2 documents2 sources

Severity

5.3MEDIUMNVD

CNA3.0

EPSS

0.2%

top 53.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Enterprise Server Nextcloud Server

Timeline

PublishedSep 16

Description

Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDnextcloud/nextcloud_enterprise_server23.0.0 — 23.0.8+2

▶NVDnextcloud/nextcloud_server24.0.0 — 24.0.4+1

▶CVEListV5nextcloud/security-advisories< 23.0.8+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Server-Side Request Forgery (SSRF) via potential filter bypass in Nextcloud Server↗2022-09-16

▶