CVE-2024-52516 (GCVE-0-2024-52516)

Vulnerability from cvelistv5 – Published: 2024-11-15 16:55 – Updated: 2024-11-15 17:32
VLAI?
Summary
Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6.
Severity ?
3 (Low)
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
nextcloud security-advisories Affected: >= 28.0.0, < 28.0.9
Affected: >= 29.0.0, < 29.0.5
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52516",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-15T17:32:06.000476Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-15T17:32:26.732Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "security-advisories",
          "vendor": "nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 28.0.0, \u003c 28.0.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 29.0.0, \u003c 29.0.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-15T16:55:18.934Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35gc-jc6x-29cm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35gc-jc6x-29cm"
        },
        {
          "name": "https://github.com/nextcloud/server/pull/47180",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/server/pull/47180"
        },
        {
          "name": "https://github.com/nextcloud/server/commit/142b6e313ffa9d3b950bcd23cb58850d3ae7cf34",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/server/commit/142b6e313ffa9d3b950bcd23cb58850d3ae7cf34"
        }
      ],
      "source": {
        "advisory": "GHSA-35gc-jc6x-29cm",
        "discovery": "UNKNOWN"
      },
      "title": "Nextcloud Server\u0027s shares are not removed when user is limited to share with in their groups and being removed from one of them"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-52516",
    "datePublished": "2024-11-15T16:55:18.934Z",
    "dateReserved": "2024-11-11T18:49:23.559Z",
    "dateUpdated": "2024-11-15T17:32:26.732Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"26.0.0\", \"versionEndExcluding\": \"26.0.13.9\", \"matchCriteriaId\": \"6D45CC15-D185-4413-A23B-F6429C5B5C01\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"27.0.0\", \"versionEndExcluding\": \"27.1.11.9\", \"matchCriteriaId\": \"3333CF87-D08E-4B39-B783-F98D05B61F29\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"28.0.0\", \"versionEndExcluding\": \"28.0.9\", \"matchCriteriaId\": \"520D5860-79BA-4426-9B84-0093B9174769\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"28.0.0\", \"versionEndExcluding\": \"28.0.9\", \"matchCriteriaId\": \"C30933C7-5AAC-42B1-85FD-62C0B62C7BC7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"29.0.0\", \"versionEndExcluding\": \"29.0.5\", \"matchCriteriaId\": \"D4797C80-C46C-445B-A778-51D36E3C8EA7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"29.0.0\", \"versionEndExcluding\": \"29.0.5\", \"matchCriteriaId\": \"135B20E4-28B1-4D85-997E-BCF322F790FD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6.\"}, {\"lang\": \"es\", \"value\": \"Nextcloud Server es un sistema de nube personal alojado por uno mismo. Cuando un servidor est\\u00e1 configurado para permitir compartir \\u00fanicamente con usuarios que est\\u00e1n en sus propios grupos, despu\\u00e9s de que un usuario se haya eliminado de un grupo, los elementos compartidos anteriormente no se han dejado de compartir. Se recomienda que Nextcloud Server se actualice a 22.2.11 o 23.0.11 o 24.0.6 y que Nextcloud Enterprise Server se actualice a 22.2.11 o 23.0.11 o 24.0.6.\"}]",
      "id": "CVE-2024-52516",
      "lastModified": "2025-01-06T20:51:23.237",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N\", \"baseScore\": 3.0, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.3, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2024-11-15T17:15:21.070",
      "references": "[{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35gc-jc6x-29cm\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/nextcloud/server/commit/142b6e313ffa9d3b950bcd23cb58850d3ae7cf34\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/nextcloud/server/pull/47180\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-269\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-52516\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-15T17:15:21.070\",\"lastModified\":\"2025-01-06T20:51:23.237\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6.\"},{\"lang\":\"es\",\"value\":\"Nextcloud Server es un sistema de nube personal alojado por uno mismo. Cuando un servidor est\u00e1 configurado para permitir compartir \u00fanicamente con usuarios que est\u00e1n en sus propios grupos, despu\u00e9s de que un usuario se haya eliminado de un grupo, los elementos compartidos anteriormente no se han dejado de compartir. Se recomienda que Nextcloud Server se actualice a 22.2.11 o 23.0.11 o 24.0.6 y que Nextcloud Enterprise Server se actualice a 22.2.11 o 23.0.11 o 24.0.6.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":3.0,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"26.0.0\",\"versionEndExcluding\":\"26.0.13.9\",\"matchCriteriaId\":\"6D45CC15-D185-4413-A23B-F6429C5B5C01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"27.0.0\",\"versionEndExcluding\":\"27.1.11.9\",\"matchCriteriaId\":\"3333CF87-D08E-4B39-B783-F98D05B61F29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"28.0.0\",\"versionEndExcluding\":\"28.0.9\",\"matchCriteriaId\":\"520D5860-79BA-4426-9B84-0093B9174769\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"28.0.0\",\"versionEndExcluding\":\"28.0.9\",\"matchCriteriaId\":\"C30933C7-5AAC-42B1-85FD-62C0B62C7BC7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"29.0.0\",\"versionEndExcluding\":\"29.0.5\",\"matchCriteriaId\":\"D4797C80-C46C-445B-A778-51D36E3C8EA7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"29.0.0\",\"versionEndExcluding\":\"29.0.5\",\"matchCriteriaId\":\"135B20E4-28B1-4D85-997E-BCF322F790FD\"}]}]}],\"references\":[{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35gc-jc6x-29cm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/nextcloud/server/commit/142b6e313ffa9d3b950bcd23cb58850d3ae7cf34\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nextcloud/server/pull/47180\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Nextcloud Server\u0027s shares are not removed when user is limited to share with in their groups and being removed from one of them\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-269\", \"lang\": \"en\", \"description\": \"CWE-269: Improper Privilege Management\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 3, \"baseSeverity\": \"LOW\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35gc-jc6x-29cm\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35gc-jc6x-29cm\"}, {\"name\": \"https://github.com/nextcloud/server/pull/47180\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/nextcloud/server/pull/47180\"}, {\"name\": \"https://github.com/nextcloud/server/commit/142b6e313ffa9d3b950bcd23cb58850d3ae7cf34\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/nextcloud/server/commit/142b6e313ffa9d3b950bcd23cb58850d3ae7cf34\"}], \"affected\": [{\"vendor\": \"nextcloud\", \"product\": \"security-advisories\", \"versions\": [{\"version\": \"\u003e= 28.0.0, \u003c 28.0.9\", \"status\": \"affected\"}, {\"version\": \"\u003e= 29.0.0, \u003c 29.0.5\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-15T16:55:18.934Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6.\"}], \"source\": {\"advisory\": \"GHSA-35gc-jc6x-29cm\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52516\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-15T17:32:06.000476Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-15T17:32:10.938Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-52516\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-11-11T18:49:23.559Z\", \"datePublished\": \"2024-11-15T16:55:18.934Z\", \"dateUpdated\": \"2024-11-15T17:32:26.732Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.