Skip to content

Exception logging in Sharepoint app reveals clear-text connection details

Moderate
nickvergessen published GHSA-qpf5-jj85-36h5 Oct 27, 2022

Package

Server (Nextcloud)

Affected versions

< 23.0.9, < 24.0.5

Patched versions

23.0.9, 24.0.5
Server (Nextcloud Enterprise)
< 22.2.10.5, < 23.0.9, < 24.0.5
22.2.10.5, 23.0.9, 24.0.5

Description

Impact

When an attacker gets hold of the nextcloud.log, they may gain knowledge of credentials to connect to a SharePoint service.

Patches

It is recommended that the Nextcloud Server is upgraded to 23.0.9 or 24.0.5.
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.5, 23.0.9 or 24.0.5.

Workarounds

Set the following option in the php.ini

zend.exception_ignore_args = On

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
4.0
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-39364

Weaknesses