CVE-2023-26482

2023-03-3019:15:06

CWE-78

[email protected]

web.nvd.nist.gov

nextcloud

scope validation

non-admin

rce

upgrade

mitigation

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

52.4%

JSON

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app workflow_scripts and workflow_pdf_converter as a mitigation.

Affected configurations

Nvd

Node

nextcloudnextcloud_serverRange18.0.0–20.0.14.12enterprise

nextcloudnextcloud_serverRange21.0.0–21.0.9.10enterprise

nextcloudnextcloud_serverRange22.0.0–22.2.10.10enterprise

nextcloudnextcloud_serverRange23.0.0–23.0.12.5enterprise

nextcloudnextcloud_serverRange24.0.0–24.0.10-

nextcloudnextcloud_serverRange24.0.0–24.0.10enterprise

nextcloudnextcloud_serverRange25.0.0–25.0.4-

nextcloudnextcloud_serverRange25.0.0–25.0.4enterprise

VendorProductVersionCPE
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*

Vendor	Product	Version	CPE
nextcloud	nextcloud_server	*	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
nextcloud	nextcloud_server	*	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*