CVE-2024-37887

Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595	Vendor Advisory
https://github.com/nextcloud/server/pull/45309	Patch
https://hackerone.com/reports/2479325	Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595	Vendor Advisory
https://github.com/nextcloud/server/pull/45309	Patch
https://hackerone.com/reports/2479325	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:29.0.0::::-:::
	cpe:2.3:a:nextcloud:nextcloud_server:29.0.0::::enterprise:::

History

No history.

Information

Published : 2024-06-14 16:15

Updated : 2024-11-21 09:24

NVD link : CVE-2024-37887

Mitre link : CVE-2024-37887

CVE.ORG link : CVE-2024-37887

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2024-37887", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}]}, "published": "2024-06-14T16:15:14.237", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/server/pull/45309", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/2479325", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nextcloud/server/pull/45309", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/2479325", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1."}, {"lang": "es", "value": "Nextcloud Server es un sistema de nube personal autohospedado. Los participantes pueden leer las excepciones de recurrencia de los eventos privados del calendario compartido. Se recomienda que Nextcloud Server se actualice a 27.1.10 o 28.0.6 o 29.0.1 y que Nextcloud Enterprise Server se actualice a 27.1.10 o 28.0.6 o 29.0.1."}], "lastModified": "2024-11-21T09:24:28.407", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "F38721C1-838D-4E12-80EA-4A275C457A97", "versionEndExcluding": "27.1.10", "versionStartIncluding": "27.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "54300595-D23D-4F77-8F68-C6B60D6CB0D2", "versionEndExcluding": "27.1.10", "versionStartIncluding": "27.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "BE4CD3B0-788F-41F8-98A9-388853A84D0C", "versionEndIncluding": "28.0.6", "versionStartIncluding": "28.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "84E246F1-39F9-4AAB-9049-4002E5EF539A", "versionEndExcluding": "28.0.6", "versionStartIncluding": "28.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:29.0.0:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "45508E90-8438-4A52-900E-A2154096E31C"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:29.0.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "8573835A-33F1-4598-83F4-EBCE44EDE95D"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}