CVE-2023-30539: Users can set up workflows using restricted and invisible system tags in Nextcloud
First published: Mon Apr 17 2023(Updated: )
Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enterprise Server to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5, and the Nextcloud Files automated tagging app to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or 1.16.1. Users unable to upgrade should disable all workflow related apps. Users are advised to upgrade.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Files Automated Tagging | >=1.14.0<1.14.2 | |
| Nextcloud Nextcloud Files Automated Tagging | >=1.15.0<1.15.3 | |
| Nextcloud Nextcloud Files Automated Tagging | =1.11.0 | |
| Nextcloud Nextcloud Files Automated Tagging | =1.12.0 | |
| Nextcloud Nextcloud Files Automated Tagging | =1.13.0 | |
| Nextcloud Nextcloud Files Automated Tagging | =1.16.0 | |
| Nextcloud Nextcloud Server | >=21.0.0<21.0.9.11 | |
| Nextcloud Nextcloud Server | >=22.0.0<22.2.10.11 | |
| Nextcloud Nextcloud Server | >=23.0.0<23.0.12.6 | |
| Nextcloud Nextcloud Server | >=24.0.0<24.0.11 | |
| Nextcloud Nextcloud Server | >=24.0.0<24.0.11 | |
| Nextcloud Nextcloud Server | >=25.0.0<25.0.5 | |
| Nextcloud Nextcloud Server | >=25.0.0<25.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-30539?
CVE-2023-30539 is a vulnerability in Nextcloud Files Automated Tagging that can be exploited to limit or grant access to files based on system tags or retention rules.
What is the severity of CVE-2023-30539?
CVE-2023-30539 has a severity rating of 8.8, which is considered high.
Which software versions are affected by CVE-2023-30539?
The affected software versions include Nextcloud Files Automated Tagging versions 1.11.0 to 1.16.0 and Nextcloud Server versions 21.0.0 to 25.0.5.
How can I fix CVE-2023-30539?
To fix CVE-2023-30539, it is recommended to update Nextcloud Files Automated Tagging to version 1.16.1 or later, and Nextcloud Server to version 25.0.6 or later.
Where can I find more information about CVE-2023-30539?
You can find more information about CVE-2023-30539 on the Nextcloud security advisories page.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/title
- agent/severity
- agent/first-publish-date
- agent/event
- agent/tags
- agent/description
- vendor/nextcloud
- canonical/nextcloud nextcloud files automated tagging
- version/nextcloud nextcloud files automated tagging/1.14.0
- version/nextcloud nextcloud files automated tagging/1.15.0
- version/nextcloud nextcloud files automated tagging/1.11.0
- version/nextcloud nextcloud files automated tagging/1.12.0
- version/nextcloud nextcloud files automated tagging/1.13.0
- version/nextcloud nextcloud files automated tagging/1.16.0
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/21.0.0
- version/nextcloud nextcloud server/22.0.0
- version/nextcloud nextcloud server/23.0.0
- version/nextcloud nextcloud server/24.0.0
- version/nextcloud nextcloud server/25.0.0