CVE-2022-36075 : Nextcloud files access control is a nextcloud app to manage access control for f

Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access Control app is upgraded to 1.12.2, 1.13.1 or 1.14.1. There are no known workarounds for this issue

Published 2022-09-15 22:15:11

Updated 2022-09-19 19:16:07

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2022-36075

Nextcloud » Files Access Control
Versions before (<) 1.12.2
cpe:2.3:a:nextcloud:files_access_control:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Files Access Control » Version: 1.14.0
cpe:2.3:a:nextcloud:files_access_control:1.14.0:*:*:*:*:*:*:*
Matching versions
Nextcloud » Files Access Control » Version: 1.13.0
cpe:2.3:a:nextcloud:files_access_control:1.13.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-36075

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 11 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36075

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
2.6	LOW	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N	1.0	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2022-36075

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security-advisories@github.com (Secondary)
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-36075

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w

Listing folder content blocked by files access control when received as share · Advisory · nextcloud/security-advisories · GitHub
Third Party Advisory
https://github.com/nextcloud/files_accesscontrol/pull/248

don't exclude shared storage from wrapper by icewind1991 · Pull Request #248 · nextcloud/files_accesscontrol · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-36075

Products affected by CVE-2022-36075

Exploit prediction scoring system (EPSS) score for CVE-2022-36075

CVSS scores for CVE-2022-36075

CWE ids for CVE-2022-36075

References for CVE-2022-36075