CVE-2022-39211

Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There are no known workarounds for this issue.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
nextcloudnextcloud_enterprise_server
𝑥
< 22.2.10.4
nextcloudnextcloud_enterprise_server
23.0.0 ≤
𝑥
< 23.0.8
nextcloudnextcloud_enterprise_server
24.0.0 ≤
𝑥
< 24.0.4
nextcloudnextcloud_server
𝑥
< 23.0.8
nextcloudnextcloud_server
24.0.0 ≤
𝑥
< 24.0.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-rmf9-w497-8cq8
https://github.com/nextcloud/server/pull/32988
https://github.com/nextcloud/server/pull/33031
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-rmf9-w497-8cq8
https://github.com/nextcloud/server/pull/32988
https://github.com/nextcloud/server/pull/33031