What is the vulnerability ID for this Nextcloud server vulnerability?

The vulnerability ID for this Nextcloud server vulnerability is CVE-2023-25579.

What is the severity of CVE-2023-25579?

The severity of CVE-2023-25579 is high with a severity value of 7.5.

What software versions are affected by CVE-2023-25579?

The affected versions of Nextcloud server for CVE-2023-25579 are versions up to 23.0.12, 20.0.0 to 20.0.14 (enterprise), 21.0.0 to 21.0.9 (enterprise), 22.2.0 to 22.2.10 (enterprise), 23.0.0 to 23.0.12 (enterprise), 24.0.0 to 24.0.8, and 25.0.0 to 25.0.2 (enterprise).

How does CVE-2023-25579 impact Nextcloud server?

CVE-2023-25579 impacts Nextcloud server by allowing the creation of paths outside of the defined storage directory, potentially enabling unauthorized access to sensitive files.

Is there a fix available for CVE-2023-25579?

Yes, a fix is available for CVE-2023-25579. Users should update Nextcloud server to a version that includes the fix.

Vulnerability/
CVE-2023-25579

high

7.5

CWE

22/2/2023

3/3/2023

CVE-2023-25579: Path Traversal

First published: Wed Feb 22 2023(Updated: )

Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Nextcloud Nextcloud Server	<23.0.12
Nextcloud Nextcloud Server	>=20.0.0<20.0.14
Nextcloud Nextcloud Server	>=21.0.0<21.0.9
Nextcloud Nextcloud Server	>=22.2.0<22.2.10
Nextcloud Nextcloud Server	>=23.0.0<23.0.12
Nextcloud Nextcloud Server	>=24.0.0<24.0.8
Nextcloud Nextcloud Server	>=24.0.0<24.0.8
Nextcloud Nextcloud Server	>=25.0.0<25.0.2
Nextcloud Nextcloud Server	>=25.0.0<25.0.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this Nextcloud server vulnerability?
The vulnerability ID for this Nextcloud server vulnerability is CVE-2023-25579.
What is the severity of CVE-2023-25579?
The severity of CVE-2023-25579 is high with a severity value of 7.5.
What software versions are affected by CVE-2023-25579?
The affected versions of Nextcloud server for CVE-2023-25579 are versions up to 23.0.12, 20.0.0 to 20.0.14 (enterprise), 21.0.0 to 21.0.9 (enterprise), 22.2.0 to 22.2.10 (enterprise), 23.0.0 to 23.0.12 (enterprise), 24.0.0 to 24.0.8, and 25.0.0 to 25.0.2 (enterprise).
How does CVE-2023-25579 impact Nextcloud server?
CVE-2023-25579 impacts Nextcloud server by allowing the creation of paths outside of the defined storage directory, potentially enabling unauthorized access to sensitive files.
Is there a fix available for CVE-2023-25579?
Yes, a fix is available for CVE-2023-25579. Users should update Nextcloud server to a version that includes the fix.

collector/nvd-index
vendor/nextcloud
canonical/nextcloud nextcloud server
version/nextcloud nextcloud server/20.0.0
version/nextcloud nextcloud server/21.0.0
version/nextcloud nextcloud server/22.2.0
version/nextcloud nextcloud server/23.0.0
version/nextcloud nextcloud server/24.0.0
version/nextcloud nextcloud server/25.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.