Vulnerability Description
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | < 21.0.8 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5vw6-6Third Party Advisory
- https://github.com/nextcloud/server/pull/30615Third Party Advisory
- https://hackerone.com/reports/1403614ExploitThird Party Advisory
- https://security.gentoo.org/glsa/202208-17Third Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5vw6-6Third Party Advisory
- https://github.com/nextcloud/server/pull/30615Third Party Advisory
- https://hackerone.com/reports/1403614ExploitThird Party Advisory
- https://security.gentoo.org/glsa/202208-17Third Party Advisory
FAQ
What is CVE-2022-24889?
CVE-2022-24889 is a vulnerability with a CVSS score of 2.4 (LOW). Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "rec...
How severe is CVE-2022-24889?
CVE-2022-24889 has been rated LOW with a CVSS base score of 2.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24889?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.