CVE-2023-39962

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
GitHub_MCNA
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
nextcloudnextcloud_server
19.0.0 ≤
𝑥
< 19.0.13.10
nextcloudnextcloud_server
20.0.0 ≤
𝑥
< 20.0.14.15
nextcloudnextcloud_server
21.0.0 ≤
𝑥
< 21.0.9.13
nextcloudnextcloud_server
22.0.0 ≤
𝑥
< 22.2.10.14
nextcloudnextcloud_server
23.0.0 ≤
𝑥
< 23.0.12.9
nextcloudnextcloud_server
24.0.0 ≤
𝑥
< 24.0.12.5
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.9
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.9
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.4
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.4
nextcloudnextcloud_server
27.0.0
nextcloudnextcloud_server
27.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
https://github.com/nextcloud/server/pull/39323
https://hackerone.com/reports/2047168
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
https://github.com/nextcloud/server/pull/39323
https://hackerone.com/reports/2047168