Skip to content

Control character filtering misses leading and trailing whitespace in file and folder names

Moderate
nickvergessen published GHSA-w3h6-p64h-q9jp Apr 27, 2022

Package

Server (Nextcloud)

Affected versions

< 20.0.14.4, < 21.0.8, < 22.2.4, < 23.0.1

Patched versions

20.0.14.4, 21.0.8, 22.2.4, 23.0.1

Description

Impact

It is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection.

Patches

It is recommended that the Nextcloud Server is upgraded to 20.0.14.4, 21.0.8, 22.2.4 or 23.0.1.

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVE ID

CVE-2022-24888

Weaknesses

Credits