Server-Side Request Forgery (SSRF) via potential filter bypass with too lax local domain checking
Package
Server
(Nextcloud)
Affected versions
< 23.0.8, < 24.0.4
Patched versions
23.0.8, 24.0.4
Server
(Nextcloud Enterprise)
< 22.2.10.4, < 23.0.8, < 24.0.4
22.2.10.4, 23.0.8, 24.0.4
Impact
Locally running webservices can be found and requested
Patches
It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4.
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4.
Workarounds
No workaround available
References
For more information
If you have any questions or comments about this advisory: