CVE Vulnerabilities

CVE-2024-52516

Improper Privilege Management

Published: Nov 15, 2024 | Modified: Jan 06, 2025
CVSS 3.x
4.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Nextcloud_server Nextcloud 26.0.0 (including) 26.0.13.9 (excluding)
Nextcloud_server Nextcloud 27.0.0 (including) 27.1.11.9 (excluding)
Nextcloud_server Nextcloud 28.0.0 (including) 28.0.9 (excluding)
Nextcloud_server Nextcloud 29.0.0 (including) 29.0.5 (excluding)

Potential Mitigations

References