Skip to content

Scope of workflow operations is not validated

Critical
nickvergessen published GHSA-h3c9-cmh8-7qpj Mar 30, 2023

Package

Server (Nextcloud)

Affected versions

>= 24.0.0, >= 25.0.0

Patched versions

24.0.10, 25.0.4
Server (Nextcloud Enterprise)
>= 18.0.0, >= 19.0.0, >= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0
20.0.14.12, 21.0.9.10, 22.2.10.10, 23.0.12.5, 24.0.10, 25.0.4

Description

Impact

A missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end.

Patches

It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4
It is recommended that the Nextcloud Enterprise Server is upgraded to 20.0.14.12 or 21.0.9.10 or 22.2.10.10 or 23.0.12.5 or 24.0.10 or 25.0.4
It is recommended that the Nextcloud Enterprise Server 18 or Nextcloud Enterprise Server 19 is manually patched.

Workarounds

  • Disable app workflow_scripts and workflow_pdf_converter

References

For more information

If you have any questions or comments about this advisory:

Severity

Critical
9.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE ID

CVE-2023-26482

Weaknesses

Credits