CVE-2022-36074: Infoleak
First published: Thu Sep 15 2022(Updated: )
Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Enterprise Server | <22.2.11 | |
| Nextcloud Nextcloud Enterprise Server | >=23.0.0<23.0.7 | |
| Nextcloud Nextcloud Enterprise Server | >=24.0.0<24.0.3 | |
| Nextcloud Nextcloud Server | <23.0.7 | |
| Nextcloud Nextcloud Server | >=24.0.0<24.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-36074?
CVE-2022-36074 is a vulnerability in Nextcloud server that exposes account access and compromise due to failure to strip the Authorization header on HTTP downgrade.
What is the severity of CVE-2022-36074?
CVE-2022-36074 has a severity rating of 7.5 (High).
Which versions of Nextcloud are affected by CVE-2022-36074?
Nextcloud Enterprise Server versions up to 22.2.11, Nextcloud Enterprise Server versions between 23.0.0 and 23.0.7, Nextcloud Enterprise Server versions between 24.0.0 and 24.0.3, Nextcloud Server versions up to 23.0.7, and Nextcloud Server versions between 24.0.0 and 24.0.3 are affected by CVE-2022-36074.
How can CVE-2022-36074 be fixed?
To fix CVE-2022-36074, it is recommended to update the Nextcloud Server to a version that is not affected by the vulnerability.
Where can I find more information about CVE-2022-36074?
You can find more information about CVE-2022-36074 at the following references: [GitHub Advisory](https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqgm-f748-g76v), [GitHub Pull Request](https://github.com/nextcloud/server/pull/32941).
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/event
- agent/type
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- vendor/nextcloud
- canonical/nextcloud nextcloud enterprise server
- version/nextcloud nextcloud enterprise server/23.0.0
- version/nextcloud nextcloud enterprise server/24.0.0
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/24.0.0