Skip to content

User scoped external storage can be used to gather credentials of other users

High
nickvergessen published GHSA-637g-xp2c-qh5h Jun 22, 2023

Package

Server (Nextcloud)

Affected versions

>= 25.0.0, >= 26.0.0

Patched versions

25.0.7, 26.0.2
Server (Nextcloud Enterprise)
>= 19.0.0 >= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0, >= 26.0.0
19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, 26.0.2

Description

Impact

A user could use this functionality to get access to the login credentials of another user and take over their account.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2
It is recommended that the Nextcloud Enterprise Server is upgraded to 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 or 26.0.2

Workarounds

3 Workarounds are available:

  • Disable app files_external
  • Change config setting "Allow users to mount external storage" to disabled in "Administration" > "External storage" settings …/index.php/settings/admin/externalstorages
  • Change config setting to disallow users to create external storages in "Administration" > "External storage" settings …/index.php/settings/admin/externalstorages with the following types:
    • FTP
    • Nextcloud
    • SFTP
    • WebDAV

References

For more information

If you have any questions or comments about this advisory:

Severity

High
8.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE ID

CVE-2023-35928

Weaknesses

Credits