Bug 1226375 (CVE-2024-37884)

Summary: VUL-0: CVE-2024-37884: nextcloud: users can delete old versions of read-only shared files
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Eric Schirra <ecsos>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/410998/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-14 19:10:33 UTC 
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.

References:
https://github.com/nextcloud/server/pull/43727
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37884
https://www.cve.org/CVERecord?id=CVE-2024-37884
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c
https://hackerone.com/reports/2290680