Vulnerability Details : CVE-2023-25579
Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue.
Vulnerability category: Directory traversal
Products affected by CVE-2023-25579
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 20.0.0 and before (<) 20.0.14cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 21.0.0 and before (<) 21.0.9cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 23.0.0 and before (<) 23.0.12cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 25.0.0 and before (<) 25.0.2cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 22.2.0 and before (<) 22.2.10cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
- Nextcloud » Nextcloud Server » Enterprise EditionVersions from including (>=) 24.0.0 and before (<) 24.0.8cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-25579
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-25579
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST | |
6.0
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L |
1.8
|
3.7
|
GitHub, Inc. |
CWE ids for CVE-2023-25579
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2023-25579
-
https://github.com/nextcloud/server/pull/35074
Make sure that path is normalized and then checked, by come-nc · Pull Request #35074 · nextcloud/server · GitHubPatch
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-273v-9h7x-p68v
Potential directory traversal in OC\Files\Node\Folder::getFullPath · Advisory · nextcloud/security-advisories · GitHubVendor Advisory
Jump to