CVE-2024-22401Improper Preservation of Permissions in Guests

CWE-281Improper Preservation of Permissions2 documents2 sources
Severity
4.3MEDIUMNVD
CNA4.1
EPSS
0.3%
top 44.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud GuestsNextcloud Security-advisories
Timeline
PublishedJan 18

Description

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/guests< 2.4.1+2
CVEListV5nextcloud/security-advisories>= 2.4.0, < 2.4.1, >= 2.5.0, < 2.5.1, >= 3.0.0, < 3.0.1+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
All users can reset the allowed apps list for Nextcloud Guest App users2024-01-18
CVE-2024-22401 — Improper Preservation of Permissions | cvebase