https://bugzilla.suse.com/show_bug.cgi?id=1214178 Bug ID: 1214178 Summary: VUL-0: CVE-2023-39962: nextcloud: unrestricted external storage deletion Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/374998/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos@schirra.net Reporter: carlos.lopez@suse.com QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- CVE-2023-39962 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39962 https://www.cve.org/CVERecord?id=CVE-2023-39962 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xw... https://github.com/nextcloud/server/pull/39323 https://hackerone.com/reports/2047168 -- You are receiving this mail because: You are on the CC list for the bug.