Bug 1226374 (CVE-2024-37882)

Summary: VUL-0: CVE-2024-37882: nextcloud: recipients of a share with read&share permissions could reshare the item with more permissions
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Eric Schirra <ecsos>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/410996/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-14 19:06:54 UTC 
Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37882
https://www.cve.org/CVERecord?id=CVE-2024-37882
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq
https://github.com/nextcloud/server/pull/44339
https://hackerone.com/reports/2289425
Comment 2 Eric Schirra 2024-06-15 09:29:38 UTC 
This once again shows a problem with the stubborn adherence to the default of no major or minor update of packages.
The major version 24 is EndOfLife since 2023-04.
https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule

Leap 15.6 just came out a few days ago. With a package that has been dead for a year.

You can't update from 24 to 29 either. Even if you are allowed to according to suse specifications. Because in nextcloud you only have to/may only update one level at a time. 24 -> 25 -> 26 -> 27 -> 28 -> 29.

So what should you do in this case?