CVE-2023-25162: SSRF
First published: Mon Feb 13 2023(Updated: )
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Server | <23.0.12 | |
| Nextcloud Nextcloud Server | >=24.0.0<24.0.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-25162?
CVE-2023-25162 is a vulnerability in Nextcloud Server that allows server-side request forgery (SSRF) attacks.
How does CVE-2023-25162 affect Nextcloud Server?
CVE-2023-25162 affects Nextcloud Server versions prior to 24.0.8 and 23.0.12, as well as Nextcloud Enterprise server versions prior to 24.0.8 and 23.0.12.
What is the severity of CVE-2023-25162?
CVE-2023-25162 has a severity value of 5.3, which is considered medium severity.
How can attackers exploit CVE-2023-25162?
Attackers can exploit CVE-2023-25162 by leveraging server-side request forgery (SSRF) to perform unauthorized actions.
How do I fix CVE-2023-25162?
To fix CVE-2023-25162, users should update their Nextcloud Server installations to version 24.0.8 or 23.0.12, or upgrade to Nextcloud Enterprise Server 24.0.8 or 23.0.12.
- collector/nvd-index
- vendor/nextcloud
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/24.0.0