Control character filtering misses leading and trailing whitespace in file and folder names
Package
Server
(Nextcloud)
Affected versions
< 20.0.14.4, < 21.0.8, < 22.2.4, < 23.0.1
Patched versions
20.0.14.4, 21.0.8, 22.2.4, 23.0.1
Impact
It is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection.
Patches
It is recommended that the Nextcloud Server is upgraded to 20.0.14.4, 21.0.8, 22.2.4 or 23.0.1.
Workarounds
No workaround available
References
For more information
If you have any questions or comments about this advisory: