Skip to content

Users can make external storage mount points inaccessible for other users

High
nickvergessen published GHSA-f962-hw26-g267 Nov 21, 2023

Package

Server (Nextcloud)

Affected versions

>= 25.0.0, >= 26.0.0, >= 27.0.0

Patched versions

25.0.13, 26.0.8, 27.1.3
Server (Nextcloud Enterprise)
>= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0, >= 26.0.0, >= 27.0.0
20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, 27.1.3

Description

Impact

A malicious user could update any personal or global external storage, making them inaccessible for everyone else as well.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.13, 26.0.8 or 27.1.3
It is recommended that the Nextcloud Enterprise Server is upgraded to 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8 or 27.1.3

Workarounds

  • Disable app files_external - Also makes the external storage inaccessible but retains the configurations until a patched version has been deployed

References

For more information

If you have any questions or comments about this advisory:

Severity

High
8.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CVE ID

CVE-2023-48239

Weaknesses

Credits