CVE-2024-52516

Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
GitHub_MCNA
3 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.13.9
nextcloudnextcloud_server
27.0.0 ≤
𝑥
< 27.1.11.9
nextcloudnextcloud_server
28.0.0 ≤
𝑥
< 28.0.9
nextcloudnextcloud_server
28.0.0 ≤
𝑥
< 28.0.9
nextcloudnextcloud_server
29.0.0 ≤
𝑥
< 29.0.5
nextcloudnextcloud_server
29.0.0 ≤
𝑥
< 29.0.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35gc-jc6x-29cm
https://github.com/nextcloud/server/commit/142b6e313ffa9d3b950bcd23cb58850d3ae7cf34
https://github.com/nextcloud/server/pull/47180