Vulnerability Description
Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | >= 24.0.0, < 24.0.7 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9mh6-cThird Party Advisory
- https://github.com/nextcloud/server/pull/34788PatchThird Party Advisory
- https://hackerone.com/reports/1745766Permissions RequiredThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9mh6-cThird Party Advisory
- https://github.com/nextcloud/server/pull/34788PatchThird Party Advisory
- https://hackerone.com/reports/1745766Permissions RequiredThird Party Advisory
FAQ
What is CVE-2022-41970?
CVE-2022-41970 is a vulnerability with a CVSS score of 2.6 (LOW). Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and prev...
How severe is CVE-2022-41970?
CVE-2022-41970 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-41970?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.