CVE-2023-39962

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
nextcloudnextcloud_server
19.0.0 ≤
𝑥
< 19.0.13.10
nextcloudnextcloud_server
20.0.0 ≤
𝑥
< 20.0.14.15
nextcloudnextcloud_server
21.0.0 ≤
𝑥
< 21.0.9.13
nextcloudnextcloud_server
22.0.0 ≤
𝑥
< 22.2.10.14
nextcloudnextcloud_server
23.0.0 ≤
𝑥
< 23.0.12.9
nextcloudnextcloud_server
24.0.0 ≤
𝑥
< 24.0.12.5
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.9
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.9
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.4
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.4
nextcloudnextcloud_server
27.0.0
nextcloudnextcloud_server
27.0.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
nextcloudserver
19.0.0 ≤
𝑥
< 19.0.13.0
ADP
nextcloudserver
20.0.0 ≤
𝑥
< 20.0.14.15
ADP
nextcloudserver
21.0.0 ≤
𝑥
< 21.0.9.13
ADP
nextcloudserver
22.0.0 ≤
𝑥
< 22.2.10.14
ADP
nextcloudserver
23.0.0 ≤
𝑥
< 23.0.12.9
ADP
nextcloudserver
24.0.0 ≤
𝑥
< 24.0.12.5
ADP
nextcloudserver
25.0.0 ≤
𝑥
< 25.0.9
ADP
nextcloudserver
26.0.0 ≤
𝑥
< 26.0.4
ADP
nextcloudserver
27.0.0 ≤
𝑥
< 27.0.1
ADP
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
https://github.com/nextcloud/server/pull/39323
https://hackerone.com/reports/2047168
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
https://github.com/nextcloud/server/pull/39323
https://hackerone.com/reports/2047168