CVE-2022-39364

CWE-312Cleartext Storage of Sensitive Info2 documents2 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 54.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Nextcloud Nextcloud Enterprise ServerNextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedOct 27

Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaroun

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:NExploitability: 0.3 | Impact: 3.6

Affected Packages3 packages

NVDnextcloud/nextcloud_enterprise_server23.0.023.0.9+2
NVDnextcloud/nextcloud_server24.0.024.0.5+1
CVEListV5nextcloud/security-advisories < 22.2.10.5, >= 23.0.0, < 23.0.9, >= 24.0.0, < 24.0.5+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Exception logging in Sharepoint app reveals clear-text connection details2022-10-27
CVE-2022-39364 (MEDIUM CVSS 6.5) | Nextcloud Server is the file server | cvebase.io