Bug ID 1214178
Summary VUL-0: CVE-2023-39962: nextcloud: unrestricted external storage deletion
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
URL https://smash.suse.de/issue/374998/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee ecsos@schirra.net
Reporter carlos.lopez@suse.com
QA Contact security-team@suse.de
Target Milestone ---
Found By ---
Blocker --- 

CVE-2023-39962

Nextcloud Server provides data storage for Nextcloud, an open source cloud
platform. Starting in version 19.0.0 and prior to versions 19.0.13.10,
20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and
27.0.1, a malicious user could delete any personal or global external storage,
making them inaccessible for everyone else as well. Nextcloud server versions
25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10,
20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and
27.0.1 contain a patch for this issue. As a workaround, disable app
files_external. This also makes the external storage inaccessible but retains
the configurations until a patched version has been deployed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39962
https://www.cve.org/CVERecord?id=CVE-2023-39962
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
https://github.com/nextcloud/server/pull/39323
https://hackerone.com/reports/2047168

You are receiving this mail because: