CVE-2024-22404Improper Preservation of Permissions in Zipper

CWE-281Improper Preservation of Permissions2 documents2 sources
Severity
4.3MEDIUMNVD
CNA4.1
EPSS
0.6%
top 30.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud ZipperNextcloud Security-advisories
Timeline
PublishedJan 18

Description

Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/zipper< 1.2.1+1
CVEListV5nextcloud/security-advisories>= 1.2.0, < 1.2.1, >= 1.3.0, < 1.4.1+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Permissions bypass in Nextcloud with the files zip app2024-01-18
CVE-2024-22404 — Improper Preservation of Permissions | cvebase