Users can make external storage mount points inaccessible for other users
Package
Server
(Nextcloud)
Affected versions
>= 25.0.0, >= 26.0.0, >= 27.0.0
Patched versions
25.0.13, 26.0.8, 27.1.3
Server
(Nextcloud Enterprise)
>= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0, >= 26.0.0, >= 27.0.0
20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, 27.1.3
Impact
A malicious user could update any personal or global external storage, making them inaccessible for everyone else as well.
Patches
It is recommended that the Nextcloud Server is upgraded to 25.0.13, 26.0.8 or 27.1.3
It is recommended that the Nextcloud Enterprise Server is upgraded to 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8 or 27.1.3
Workarounds
References
For more information
If you have any questions or comments about this advisory: