Bug ID 1214181
Summary VUL-0: CVE-2023-39952: nextcloud: unrestricted subfolder access despite advanced permission checks
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
URL https://smash.suse.de/issue/374976/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee ecsos@schirra.net
Reporter carlos.lopez@suse.com
QA Contact security-team@suse.de
Target Milestone ---
Found By ---
Blocker --- 

CVE-2023-39952

Nextcloud Server provides data storage for Nextcloud, an open source cloud
platform. Starting in version 22.0.0 and prior to versions 22.2.10.13,
23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files
inside
a subfolder of a groupfolder accessible to them, even if advanced permissions
would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3,
and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8,
24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch for this issue. No known
workarounds are available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39952
https://bugzilla.redhat.com/show_bug.cgi?id=2231145
https://www.cve.org/CVERecord?id=CVE-2023-39952
https://github.com/nextcloud/groupfolders/issues/1906
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-cq8w-v4fh-4rjq
https://github.com/nextcloud/server/pull/38890
https://hackerone.com/reports/1808079

You are receiving this mail because: