| Vulnerability Name: | CVE-2022-24889 (CCN-225297) | ||||||||||||
| Assigned: | 2022-04-27 | ||||||||||||
| Published: | 2022-04-27 | ||||||||||||
| Updated: | 2022-10-25 | ||||||||||||
| Summary: | Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1. | ||||||||||||
| CVSS v3 Severity: | 4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) 3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
2.1 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-345 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-24889 Source: XF Type: UNKNOWN nextcloud-cve202224889-sec-bypass(225297) Source: CCN Type: Nextcloud GIT Repository Force an admin to install recommended applications Source: CONFIRM Type: Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5vw6-6prg-gvw6 Source: MISC Type: Third Party Advisory https://github.com/nextcloud/server/pull/30615 Source: MISC Type: Exploit, Third Party Advisory https://hackerone.com/reports/1403614 Source: GENTOO Type: Third Party Advisory GLSA-202208-17 Source: CCN Type: Mend Vulnerability Database CVE-2022-24889 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||