What is CVE-2022-36074?

CVE-2022-36074 is a vulnerability in Nextcloud server that exposes account access and compromise due to failure to strip the Authorization header on HTTP downgrade.

What is the severity of CVE-2022-36074?

CVE-2022-36074 has a severity rating of 7.5 (High).

Which versions of Nextcloud are affected by CVE-2022-36074?

Nextcloud Enterprise Server versions up to 22.2.11, Nextcloud Enterprise Server versions between 23.0.0 and 23.0.7, Nextcloud Enterprise Server versions between 24.0.0 and 24.0.3, Nextcloud Server versions up to 23.0.7, and Nextcloud Server versions between 24.0.0 and 24.0.3 are affected by CVE-2022-36074.

How can CVE-2022-36074 be fixed?

To fix CVE-2022-36074, it is recommended to update the Nextcloud Server to a version that is not affected by the vulnerability.

Where can I find more information about CVE-2022-36074?

You can find more information about CVE-2022-36074 at the following references: [GitHub Advisory](https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqgm-f748-g76v), [GitHub Pull Request](https://github.com/nextcloud/server/pull/32941).

Vulnerability/
CVE-2022-36074

high

7.5

CWE

863 200

15/9/2022

3/8/2024

CVE-2022-36074: Authentication headers exposed on by Nextcloud Server

First published: Thu Sep 15 2022(Updated: )

Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Nextcloud Nextcloud Enterprise Server	<22.2.11
Nextcloud Nextcloud Enterprise Server	>=23.0.0<23.0.7
Nextcloud Nextcloud Enterprise Server	>=24.0.0<24.0.3
Nextcloud Nextcloud Server	<23.0.7
Nextcloud Nextcloud Server	>=24.0.0<24.0.3

Remedy

https://github.com/nextcloud/server/pull/32941

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-36074?
CVE-2022-36074 is a vulnerability in Nextcloud server that exposes account access and compromise due to failure to strip the Authorization header on HTTP downgrade.
What is the severity of CVE-2022-36074?
CVE-2022-36074 has a severity rating of 7.5 (High).
Which versions of Nextcloud are affected by CVE-2022-36074?
Nextcloud Enterprise Server versions up to 22.2.11, Nextcloud Enterprise Server versions between 23.0.0 and 23.0.7, Nextcloud Enterprise Server versions between 24.0.0 and 24.0.3, Nextcloud Server versions up to 23.0.7, and Nextcloud Server versions between 24.0.0 and 24.0.3 are affected by CVE-2022-36074.
How can CVE-2022-36074 be fixed?
To fix CVE-2022-36074, it is recommended to update the Nextcloud Server to a version that is not affected by the vulnerability.
Where can I find more information about CVE-2022-36074?
You can find more information about CVE-2022-36074 at the following references: [GitHub Advisory](https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqgm-f748-g76v), [GitHub Pull Request](https://github.com/nextcloud/server/pull/32941).

collector/nvd-index
agent/references
agent/author
agent/type
agent/softwarecombine
collector/nvd-api
agent/software-canonical-lookup-request
agent/weakness
agent/remedy
agent/description
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/title
agent/event
agent/first-publish-date
agent/tags
vendor/nextcloud
canonical/nextcloud nextcloud enterprise server
version/nextcloud nextcloud enterprise server/23.0.0
version/nextcloud nextcloud enterprise server/24.0.0
canonical/nextcloud nextcloud server
version/nextcloud nextcloud server/24.0.0