Skip to content

Users can set up workflows using restricted and invisible system tags

Moderate
nickvergessen published GHSA-3m2f-v8x7-9w99 Apr 17, 2023

Package

Files automated tagging (Nextcloud)

Affected versions

>= 1.11.0, >= 1.12.0, >= 1.13.0, >= 1.14.0, >= 1.15.0, >= 1.16.0

Patched versions

1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3, 1.16.1
Server (Nextcloud)
>= 24.0.0, >= 25.0.0
24.0.11, 25.0.5
Server (Nextcloud Enterprise)
>= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0
21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11, 25.0.5

Description

Impact

Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules.

Patches

It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5
It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5

It is recommended that the Nextcloud Files automated tagging app is upgraded to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or 1.16.1

Workarounds

  • Disable all workflow related apps

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CVE ID

CVE-2023-30539

Weaknesses

Credits