CVE-2024-22402Improper Preservation of Permissions in Guests

CWE-281Improper Preservation of Permissions2 documents2 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 45.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud GuestsNextcloud Security-advisories
Timeline
PublishedJan 18

Description

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

NVDnextcloud/guests< 2.4.1+2
CVEListV5nextcloud/security-advisories>= 2.4.0, < 2.4.1, >= 2.5.0, < 2.5.1, >= 3.0.0, < 3.0.1+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Improper handling of request URLs in Nextcloud Guests app allows guest users to bypass app allowlist2024-01-18
CVE-2024-22402 — Improper Preservation of Permissions | cvebase