CVE-2023-35928 (GCVE-0-2023-35928)

Vulnerability from cvelistv5 – Published: 2023-06-23 20:58 – Updated: 2024-12-05 16:18
VLAI?
Title
Nextcloud user scoped external storage can be used to gather credentials of other users
Summary
Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, a user could use this functionality to get access to the login credentials of another user and take over their account. This issue has been patched in Nextcloud Server versions 25.0.7 and 26.0.2 and NextCloud Enterprise Server versions 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2. Three workarounds are available. Disable app files_external. Change config setting "Allow users to mount external storage" to disabled in "Administration" > "External storage" settings `…/index.php/settings/admin/externalstorages`. Change config setting to disallow users to create external storages in "Administration" > "External storage" settings `…/index.php/settings/admin/externalstorages` with the types FTP, Nextcloud, SFTP, and/or WebDAV.
Severity ?
8.5 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CWE
  • CWE-274 - Improper Handling of Insufficient Privileges
Assigner
References
Impacted products
Vendor Product Version
nextcloud security-advisories Affected: Nextcloud Enterprise Server >= 19.0.0, < 19.0.13.9
Affected: Nextcloud Enterprise Server >= 20.0.0.0, < 20.0.14.14
Affected: Nextcloud Enterprise Server >= 21.0.0.0, < 21.0.9.12
Affected: Nextcloud Enterprise Server >= 22.0.0.0, < 22.2.10.12
Affected: Nextcloud Enterprise Server >= 23.0.0.0, < 23.0.12.7
Affected: Nextcloud Enterprise Server >= 24.0.0.0, < 24.0.12.2
Affected: Nextcloud Enterprise Server >= 25.0.0, < 25.0.7
Affected: Nextcloud Enterprise Server >= 26.0.0, < 26.0.2
Affected: Nextcloud Server >= 25.0.0, < 25.0.7
Affected: Nextcloud Server >= 26.0.0, < 26.0.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:37:40.579Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h"
          },
          {
            "name": "https://github.com/nextcloud/server/pull/38265",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/server/pull/38265"
          },
          {
            "name": "https://hackerone.com/reports/1978882",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1978882"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-35928",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-05T16:18:00.553586Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-05T16:18:09.131Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "security-advisories",
          "vendor": "nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "Nextcloud Enterprise Server \u003e= 19.0.0, \u003c 19.0.13.9"
            },
            {
              "status": "affected",
              "version": "Nextcloud Enterprise Server \u003e= 20.0.0.0, \u003c 20.0.14.14"
            },
            {
              "status": "affected",
              "version": "Nextcloud Enterprise Server \u003e= 21.0.0.0, \u003c 21.0.9.12"
            },
            {
              "status": "affected",
              "version": "Nextcloud Enterprise Server \u003e= 22.0.0.0, \u003c 22.2.10.12"
            },
            {
              "status": "affected",
              "version": "Nextcloud Enterprise Server \u003e= 23.0.0.0, \u003c 23.0.12.7"
            },
            {
              "status": "affected",
              "version": "Nextcloud Enterprise Server \u003e= 24.0.0.0, \u003c 24.0.12.2"
            },
            {
              "status": "affected",
              "version": "Nextcloud Enterprise Server \u003e= 25.0.0, \u003c 25.0.7 "
            },
            {
              "status": "affected",
              "version": "Nextcloud Enterprise Server \u003e= 26.0.0, \u003c 26.0.2"
            },
            {
              "status": "affected",
              "version": "Nextcloud Server \u003e= 25.0.0, \u003c 25.0.7"
            },
            {
              "status": "affected",
              "version": "Nextcloud Server \u003e= 26.0.0, \u003c 26.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, a user could use this functionality to get access to the login credentials of another user and take over their account. This issue has been patched in Nextcloud Server versions 25.0.7 and 26.0.2 and NextCloud Enterprise Server versions 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2.\n\nThree workarounds are available. Disable app files_external. Change config setting \"Allow users to mount external storage\" to disabled in \"Administration\" \u003e \"External storage\" settings `\u2026/index.php/settings/admin/externalstorages`. Change config setting to disallow users to create external storages in \"Administration\" \u003e \"External storage\" settings `\u2026/index.php/settings/admin/externalstorages` with the types FTP, Nextcloud, SFTP, and/or WebDAV."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-274",
              "description": "CWE-274: Improper Handling of Insufficient Privileges",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-23T20:58:33.225Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h"
        },
        {
          "name": "https://github.com/nextcloud/server/pull/38265",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/server/pull/38265"
        },
        {
          "name": "https://hackerone.com/reports/1978882",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1978882"
        }
      ],
      "source": {
        "advisory": "GHSA-637g-xp2c-qh5h",
        "discovery": "UNKNOWN"
      },
      "title": "Nextcloud user scoped external storage can be used to gather credentials of other users"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-35928",
    "datePublished": "2023-06-23T20:58:33.225Z",
    "dateReserved": "2023-06-20T14:02:45.593Z",
    "dateUpdated": "2024-12-05T16:18:09.131Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"19.0.0\", \"versionEndExcluding\": \"19.0.13.9\", \"matchCriteriaId\": \"CC2A5AD6-483F-495C-87CF-2D2B6C4D9903\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"20.0.0\", \"versionEndExcluding\": \"20.0.14.14\", \"matchCriteriaId\": \"1F2E75AF-BECF-4A13-A2F4-6882F4AFE8F6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"21.0.0\", \"versionEndExcluding\": \"21.0.9.12\", \"matchCriteriaId\": \"C3851B67-74A7-4D1D-8B7C-F5A0075B2700\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"22.0.0\", \"versionEndExcluding\": \"22.2.10.12\", \"matchCriteriaId\": \"C5FA775A-1796-4C82-B943-CEC91FDA6A00\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"23.0.0\", \"versionEndExcluding\": \"23.0.12.7\", \"matchCriteriaId\": \"57E82EBA-930D-4B32-B2B5-3B7119C2EF8F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"24.0.0\", \"versionEndExcluding\": \"24.0.12.2\", \"matchCriteriaId\": \"9603AC3F-5104-4C18-BF51-25B52BC7E146\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*\", \"versionStartIncluding\": \"25.0.0\", \"versionEndExcluding\": \"25.0.7\", \"matchCriteriaId\": \"DD58A3B6-945E-4AFC-AE5C-A374C884167B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"25.0.0\", \"versionEndExcluding\": \"25.0.7\", \"matchCriteriaId\": \"7AC695D0-BD79-42B5-BA1D-3356791E4DEC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*\", \"versionStartIncluding\": \"26.0.0\", \"versionEndExcluding\": \"26.0.2\", \"matchCriteriaId\": \"CB3473C7-E5B9-44B1-AC74-F7224D9AB78B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"26.0.0\", \"versionEndExcluding\": \"26.0.2\", \"matchCriteriaId\": \"AE95CF9F-D964-4857-8805-2CE4CF2F6328\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, a user could use this functionality to get access to the login credentials of another user and take over their account. This issue has been patched in Nextcloud Server versions 25.0.7 and 26.0.2 and NextCloud Enterprise Server versions 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2.\\n\\nThree workarounds are available. Disable app files_external. Change config setting \\\"Allow users to mount external storage\\\" to disabled in \\\"Administration\\\" \u003e \\\"External storage\\\" settings `\\u2026/index.php/settings/admin/externalstorages`. Change config setting to disallow users to create external storages in \\\"Administration\\\" \u003e \\\"External storage\\\" settings `\\u2026/index.php/settings/admin/externalstorages` with the types FTP, Nextcloud, SFTP, and/or WebDAV.\"}]",
      "id": "CVE-2023-35928",
      "lastModified": "2024-11-21T08:08:59.697",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 8.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.7, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2023-06-23T21:15:10.007",
      "references": "[{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/nextcloud/server/pull/38265\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://hackerone.com/reports/1978882\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/nextcloud/server/pull/38265\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://hackerone.com/reports/1978882\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-274\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-35928\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-06-23T21:15:10.007\",\"lastModified\":\"2024-11-21T08:08:59.697\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, a user could use this functionality to get access to the login credentials of another user and take over their account. This issue has been patched in Nextcloud Server versions 25.0.7 and 26.0.2 and NextCloud Enterprise Server versions 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2.\\n\\nThree workarounds are available. Disable app files_external. Change config setting \\\"Allow users to mount external storage\\\" to disabled in \\\"Administration\\\" \u003e \\\"External storage\\\" settings `\u2026/index.php/settings/admin/externalstorages`. Change config setting to disallow users to create external storages in \\\"Administration\\\" \u003e \\\"External storage\\\" settings `\u2026/index.php/settings/admin/externalstorages` with the types FTP, Nextcloud, SFTP, and/or WebDAV.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.7,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-274\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"19.0.0\",\"versionEndExcluding\":\"19.0.13.9\",\"matchCriteriaId\":\"CC2A5AD6-483F-495C-87CF-2D2B6C4D9903\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"20.0.0\",\"versionEndExcluding\":\"20.0.14.14\",\"matchCriteriaId\":\"1F2E75AF-BECF-4A13-A2F4-6882F4AFE8F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"21.0.0\",\"versionEndExcluding\":\"21.0.9.12\",\"matchCriteriaId\":\"C3851B67-74A7-4D1D-8B7C-F5A0075B2700\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"22.0.0\",\"versionEndExcluding\":\"22.2.10.12\",\"matchCriteriaId\":\"C5FA775A-1796-4C82-B943-CEC91FDA6A00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"23.0.0\",\"versionEndExcluding\":\"23.0.12.7\",\"matchCriteriaId\":\"57E82EBA-930D-4B32-B2B5-3B7119C2EF8F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"24.0.0\",\"versionEndExcluding\":\"24.0.12.2\",\"matchCriteriaId\":\"9603AC3F-5104-4C18-BF51-25B52BC7E146\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"25.0.0\",\"versionEndExcluding\":\"25.0.7\",\"matchCriteriaId\":\"DD58A3B6-945E-4AFC-AE5C-A374C884167B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"25.0.0\",\"versionEndExcluding\":\"25.0.7\",\"matchCriteriaId\":\"7AC695D0-BD79-42B5-BA1D-3356791E4DEC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"26.0.0\",\"versionEndExcluding\":\"26.0.2\",\"matchCriteriaId\":\"CB3473C7-E5B9-44B1-AC74-F7224D9AB78B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"26.0.0\",\"versionEndExcluding\":\"26.0.2\",\"matchCriteriaId\":\"AE95CF9F-D964-4857-8805-2CE4CF2F6328\"}]}]}],\"references\":[{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/nextcloud/server/pull/38265\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://hackerone.com/reports/1978882\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/nextcloud/server/pull/38265\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://hackerone.com/reports/1978882\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h\", \"name\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/nextcloud/server/pull/38265\", \"name\": \"https://github.com/nextcloud/server/pull/38265\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://hackerone.com/reports/1978882\", \"name\": \"https://hackerone.com/reports/1978882\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:37:40.579Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-35928\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-05T16:18:00.553586Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-05T16:18:05.219Z\"}}], \"cna\": {\"title\": \"Nextcloud user scoped external storage can be used to gather credentials of other users\", \"source\": {\"advisory\": \"GHSA-637g-xp2c-qh5h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"nextcloud\", \"product\": \"security-advisories\", \"versions\": [{\"status\": \"affected\", \"version\": \"Nextcloud Enterprise Server \u003e= 19.0.0, \u003c 19.0.13.9\"}, {\"status\": \"affected\", \"version\": \"Nextcloud Enterprise Server \u003e= 20.0.0.0, \u003c 20.0.14.14\"}, {\"status\": \"affected\", \"version\": \"Nextcloud Enterprise Server \u003e= 21.0.0.0, \u003c 21.0.9.12\"}, {\"status\": \"affected\", \"version\": \"Nextcloud Enterprise Server \u003e= 22.0.0.0, \u003c 22.2.10.12\"}, {\"status\": \"affected\", \"version\": \"Nextcloud Enterprise Server \u003e= 23.0.0.0, \u003c 23.0.12.7\"}, {\"status\": \"affected\", \"version\": \"Nextcloud Enterprise Server \u003e= 24.0.0.0, \u003c 24.0.12.2\"}, {\"status\": \"affected\", \"version\": \"Nextcloud Enterprise Server \u003e= 25.0.0, \u003c 25.0.7 \"}, {\"status\": \"affected\", \"version\": \"Nextcloud Enterprise Server \u003e= 26.0.0, \u003c 26.0.2\"}, {\"status\": \"affected\", \"version\": \"Nextcloud Server \u003e= 25.0.0, \u003c 25.0.7\"}, {\"status\": \"affected\", \"version\": \"Nextcloud Server \u003e= 26.0.0, \u003c 26.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h\", \"name\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nextcloud/server/pull/38265\", \"name\": \"https://github.com/nextcloud/server/pull/38265\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://hackerone.com/reports/1978882\", \"name\": \"https://hackerone.com/reports/1978882\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, a user could use this functionality to get access to the login credentials of another user and take over their account. This issue has been patched in Nextcloud Server versions 25.0.7 and 26.0.2 and NextCloud Enterprise Server versions 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2.\\n\\nThree workarounds are available. Disable app files_external. Change config setting \\\"Allow users to mount external storage\\\" to disabled in \\\"Administration\\\" \u003e \\\"External storage\\\" settings `\\u2026/index.php/settings/admin/externalstorages`. Change config setting to disallow users to create external storages in \\\"Administration\\\" \u003e \\\"External storage\\\" settings `\\u2026/index.php/settings/admin/externalstorages` with the types FTP, Nextcloud, SFTP, and/or WebDAV.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-274\", \"description\": \"CWE-274: Improper Handling of Insufficient Privileges\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-06-23T20:58:33.225Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-35928\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-05T16:18:09.131Z\", \"dateReserved\": \"2023-06-20T14:02:45.593Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-06-23T20:58:33.225Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.