Bug 1214181 (CVE-2023-39952)

Summary: VUL-0: CVE-2023-39952: nextcloud: unrestricted subfolder access despite advanced permission checks
Product: [openSUSE] openSUSE Distribution Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Eric Schirra <ecsos>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/374976/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-08-11 08:55:17 UTC 
CVE-2023-39952

Nextcloud Server provides data storage for Nextcloud, an open source cloud
platform. Starting in version 22.0.0 and prior to versions 22.2.10.13,
23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside
a subfolder of a groupfolder accessible to them, even if advanced permissions
would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3,
and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8,
24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch for this issue. No known
workarounds are available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39952
https://bugzilla.redhat.com/show_bug.cgi?id=2231145
https://www.cve.org/CVERecord?id=CVE-2023-39952
https://github.com/nextcloud/groupfolders/issues/1906
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-cq8w-v4fh-4rjq
https://github.com/nextcloud/server/pull/38890
https://hackerone.com/reports/1808079
Comment 1 Eric Schirra 2024-04-16 08:10:09 UTC 
All versions < 27 are end of life.
Version 28.0.4 os in devel and factory.
I have no rights for SLE.
osc mbranch only show sle.
So no more i can do.