Bugzilla – Bug 1226373
VUL-0: CVE-2024-37315: nextcloud: read-only users can restore old versions of a document when the files_versions app is enabled
Last modified: 2024-06-15 09:29:52 UTC
Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37315 https://www.cve.org/CVERecord?id=CVE-2024-37315 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942 https://github.com/nextcloud/server/pull/43727 https://hackerone.com/reports/1356508
This once again shows a problem with the stubborn adherence to the default of no major or minor update of packages. The major version 24 is EndOfLife since 2023-04. https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule Leap 15.6 just came out a few days ago. With a package that has been dead for a year. You can't update from 24 to 29 either. Even if you are allowed to according to suse specifications. Because in nextcloud you only have to/may only update one level at a time. 24 -> 25 -> 26 -> 27 -> 28 -> 29. So what should you do in this case?