CVE-2023-26482
published 2023-03-30CVE-2023-26482: Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.18%
89.6th percentile
Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nextcloud | nextcloud_server | >= 18.0.0 < 20.0.14.12 | 20.0.14.12 |
| nextcloud | nextcloud_server | >= 21.0.0 < 21.0.9.10 | 21.0.9.10 |
| nextcloud | nextcloud_server | >= 22.0.0 < 22.2.10.10 | 22.2.10.10 |
| nextcloud | nextcloud_server | >= 23.0.0 < 23.0.12.5 | 23.0.12.5 |
| nextcloud | nextcloud_server | >= 24.0.0 < 24.0.10 | 24.0.10 |
| nextcloud | nextcloud_server | >= 25.0.0 < 25.0.4 | 25.0.4 |
| nextcloud | security-advisories | < 24.0.10 | 24.0.10 |
| nextcloud | security-advisories | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/nextcloud_workflows_rce.rb↗
- →Monitor for non-admin users creating or modifying workflow configurations via the Nextcloud workflows API endpoint, which should be restricted to administrators only. ↗
- →Alert on execution of server-side scripts or webhook invocations triggered by Nextcloud workflow events, particularly from the `workflow_scripts` or `workflow_pdf_converter` apps. ↗
- →A public Metasploit exploit module exists for this CVE targeting Nextcloud as an authenticated (non-admin) user; monitor for exploitation attempts using this module against Nextcloud web application endpoints. ↗
- ·Disable the `workflow_scripts` and `workflow_pdf_converter` Nextcloud apps as a mitigation if upgrading is not immediately possible. ↗
- ·The RCE impact is conditional on the presence of specific apps (e.g., `workflow_scripts`, `workflow_pdf_converter`); assess which apps are installed before determining exploitability. ↗
- ·Exploitation requires an authenticated (non-admin) user account; unauthenticated exploitation is not possible. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h3c9-cmh8-7qpjhttps://github.com/nextcloud/server/commit/5a06b50b10cc9278bbe68bbf897a0c4aeb0c4e60https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h3c9-cmh8-7qpjhttps://github.com/nextcloud/server/commit/5a06b50b10cc9278bbe68bbf897a0c4aeb0c4e60
2023-03-30
Published