VDB

CVE-2023-25579

CVE-2023-25579 PUBLISHED CVSS 6 MEDIUM

Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue.

EPSS 0.35% · 57.8th percentile

Risk Scores

CVSS 3.1
6
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
EPSS Score
0.35%
57.8th percentile

Affected Products

VendorProductVersions
nextcloudnextcloud_server0, 20.0.0, 21.0.0
NextcloudN/A
nextcloudsecurity-advisories< 23.0.12, >= 24.0.0, < 24.0.8, >= 25.0.0, < 25.0.2

Exploit Intelligence

Timeline

  • Nov 10, 2022 Fix PR Merged
  • Feb 22, 2023 CVE Published
  • Feb 23, 2023 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Apr 3, 2023 EPSS Score
  • May 13, 2023 EPSS Score
  • Jun 21, 2023 EPSS Score
  • Jul 31, 2023 EPSS Score
  • Sep 8, 2023 EPSS Score
  • Oct 17, 2023 EPSS Score
  • Nov 26, 2023 EPSS Score
  • Jan 4, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›