FKIE_CVE-2024-52514

Vulnerability from fkie_nvd - Published: 2024-11-15 18:15 - Updated: 2025-10-01 17:49
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Summary
Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 or 29.0.0.
References
security-advisories@github.comhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xjVendor Advisory
security-advisories@github.comhttps://github.com/nextcloud/server/commit/5fffbcfe8650eab75b00e8d188fbc95b0e43f3a8Patch
security-advisories@github.comhttps://github.com/nextcloud/server/pull/44889Issue Tracking
security-advisories@github.comhttps://hackerone.com/reports/2447316Issue Tracking
Impacted products
Vendor Product Version
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "706A1693-E875-4415-952F-E75B604921C6",
              "versionEndExcluding": "21.0.9.18",
              "versionStartIncluding": "21.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "50CDDF4F-5847-4845-B157-294B710C8C67",
              "versionEndExcluding": "22.2.10.23",
              "versionStartIncluding": "22.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "F0DD12C6-1131-4592-A982-EBB94B4E988B",
              "versionEndExcluding": "23.0.12.18",
              "versionStartIncluding": "23.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "7C01B757-C3F0-4EE5-9BFE-1BF3E04B41DC",
              "versionEndExcluding": "24.0.12.14",
              "versionStartIncluding": "24.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "F7E48564-67A7-4DC6-8255-17ACDD51C89D",
              "versionEndExcluding": "25.0.13.9",
              "versionStartIncluding": "25.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "59A5E850-EE98-48D9-B3EE-6BFDF7871680",
              "versionEndExcluding": "26.0.13.3",
              "versionStartIncluding": "26.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "F3C44EC8-B9CF-47E8-B22E-DD03701A3DC4",
              "versionEndExcluding": "27.1.9",
              "versionStartIncluding": "27.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "59920E6C-B103-4BBF-98BF-A2654E947767",
              "versionEndExcluding": "27.1.9",
              "versionStartIncluding": "27.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "03D199A9-7EFC-4FDC-87C1-FF55CC90EE5B",
              "versionEndExcluding": "28.0.5",
              "versionStartIncluding": "28.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "C69E020E-92FA-4DF5-A612-3D1C06D15ECD",
              "versionEndExcluding": "28.0.5",
              "versionStartIncluding": "28.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 or 29.0.0."
    },
    {
      "lang": "es",
      "value": "Nextcloud Server es un sistema de nube personal alojado por uno mismo. Despu\u00e9s de que un usuario reciba un recurso compartido con algunos archivos dentro que est\u00e1n bloqueados por el control de acceso a archivos, el usuario a\u00fan podr\u00e1 copiar la carpeta intermedia dentro de Nextcloud, lo que le permitir\u00e1 acceder potencialmente a los archivos bloqueados despu\u00e9s, seg\u00fan las reglas de control de acceso del usuario. Se recomienda que Nextcloud Server se actualice a 27.1.9, 28.0.5 o 29.0.0 y que Nextcloud Enterprise Server se actualice a 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 o 29.0.0."
    }
  ],
  "id": "CVE-2024-52514",
  "lastModified": "2025-10-01T17:49:30.300",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-11-15T18:15:30.370",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xj"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nextcloud/server/commit/5fffbcfe8650eab75b00e8d188fbc95b0e43f3a8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/nextcloud/server/pull/44889"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://hackerone.com/reports/2447316"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.