CVE-2022-39329 : Nextcloud Server is the file server software for Nextcloud, a self-hosted produc

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available.

Published 2022-10-27 14:15:11

Updated 2023-07-14 18:53:31

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2022-39329

Nextcloud » Nextcloud Server
Versions before (<) 23.0.9
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Server
Versions from including (>=) 24.0.0 and before (<) 24.0.5
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Enterprise Server
Versions from including (>=) 24.0.0 and before (<) 24.0.5
cpe:2.3:a:nextcloud:nextcloud_enterprise_server:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Enterprise Server
Versions before (<) 23.0.9
cpe:2.3:a:nextcloud:nextcloud_enterprise_server:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-39329

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 34 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39329

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
3.5	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N	2.1	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2022-39329

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: security-advisories@github.com (Secondary)
CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: security-advisories@github.com (Secondary)
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: nvd@nist.gov (Primary)
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-39329

https://hackerone.com/reports/1675014

HackerOne
Permissions Required;Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f3p-rcm5-mrg3

Profile of disabled user stays accessible · Advisory · nextcloud/security-advisories · GitHub
Third Party Advisory
https://github.com/nextcloud/server/pull/33643

Improve handling of profile page by Pytal · Pull Request #33643 · nextcloud/server · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-39329

Products affected by CVE-2022-39329

Exploit prediction scoring system (EPSS) score for CVE-2022-39329

CVSS scores for CVE-2022-39329

CWE ids for CVE-2022-39329

References for CVE-2022-39329