CVE-2022-41970
2.6
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Summary
Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextcloud | security-advisories | < 24.0.7 | affected |
| nextcloud | security-advisories | >= 25.0.0, < 25.0.1 | affected |
Weaknesses
- CWE-284: CWE-284: Improper Access Control
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9mh6-cph8-772c
- https://github.com/nextcloud/server/pull/34788
- https://hackerone.com/reports/1745766
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9mh6-cph8-772c
- https://github.com/nextcloud/server/pull/34788
- https://hackerone.com/reports/1745766
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.