CVE-2023-30539

CWE-284 — Improper Access Control2 documents2 sources

Severity

8.8HIGH

EPSS

0.4%

top 40.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Nextcloud Files Automated Tagging Nextcloud Nextcloud Server Nextcloud Security-advisories

Timeline

PublishedApr 17

Description

Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enterprise Server to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5, and the Nextcloud Files automated tagging app to 1.11.1, 1.12.1, 1.13.1, 1.14.…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:LExploitability: 2.3 | Impact: 3.7

Affected Packages3 packages

▶NVDnextcloud/nextcloud_files_automated_tagging1.14.0 — 1.14.2+5

▶NVDnextcloud/nextcloud_server21.0.0 — 21.0.9.11+4

▶CVEListV5nextcloud/security-advisories8 versions+7

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Users can set up workflows using restricted and invisible system tags in Nextcloud↗2023-04-17

▶