Bug 1226375 (CVE-2024-37884) - VUL-0: CVE-2024-37884: nextcloud: users can delete old versions of read-only shared files
Summary: VUL-0: CVE-2024-37884: nextcloud: users can delete old versions of read-only ...
Status: RESOLVED FIXED
Alias: CVE-2024-37884
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Eric Schirra
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/410998/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-14 19:10 UTC by SMASH SMASH
Modified: 2024-06-14 19:16 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-06-14 19:10:33 UTC 
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.

References:
https://github.com/nextcloud/server/pull/43727
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37884
https://www.cve.org/CVERecord?id=CVE-2024-37884
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c
https://hackerone.com/reports/2290680