CVE-2024-52514

CWE-284Improper Access Control2 documents2 sources
Severity
3.5LOW
EPSS
0.3%
top 44.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedNov 15

Description

Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.1

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:NExploitability: 2.3 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server21.0.021.0.9.18+7
CVEListV5nextcloud/security-advisories>= 27.0.0, < 27.1.9, >= 28.0.0, < 28.0.5+1

Patches

Patch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Server allows users to copy folder that contain files that are blocked by the files access control2024-11-15
CVE-2024-52514 (LOW CVSS 3.5) | Nextcloud Server is a self hosted p | cvebase.io