CVE-2023-39962: Users can delete external storage mount points
First published: Thu Aug 10 2023(Updated: )
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Server | >=19.0.0<19.0.13.10 | |
| Nextcloud Nextcloud Server | >=20.0.0<20.0.14.15 | |
| Nextcloud Nextcloud Server | >=21.0.0<21.0.9.13 | |
| Nextcloud Nextcloud Server | >=22.0.0<22.2.10.14 | |
| Nextcloud Nextcloud Server | >=23.0.0<23.0.12.9 | |
| Nextcloud Nextcloud Server | >=24.0.0<24.0.12.5 | |
| Nextcloud Nextcloud Server | >=25.0.0<25.0.9 | |
| Nextcloud Nextcloud Server | >=25.0.0<25.0.9 | |
| Nextcloud Nextcloud Server | >=26.0.0<26.0.4 | |
| Nextcloud Nextcloud Server | >=26.0.0<26.0.4 | |
| Nextcloud Nextcloud Server | =27.0.0 | |
| Nextcloud Nextcloud Server | =27.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-39962?
CVE-2023-39962 is a vulnerability in Nextcloud Server that allows a malicious user to delete any personal or global external storage.
How does CVE-2023-39962 impact Nextcloud Server?
CVE-2023-39962 can be used by an attacker to delete personal or global external storage on Nextcloud Server.
What is the severity of CVE-2023-39962?
CVE-2023-39962 has a severity score of 7.7 (high).
Which versions of Nextcloud Server are affected by CVE-2023-39962?
Nextcloud Server versions 19.0.0 to 19.0.13.10, 20.0.0 to 20.0.14.15, 21.0.0 to 21.0.9.13, 22.0.0 to 22.2.10.14, 23.0.0 to 23.0.12.8, 24.0.0 to 24.0.12.5, 25.0.0 to 25.0.9, 26.0.0 to 26.0.4, and 27.0.0 are affected by CVE-2023-39962.
How can I fix CVE-2023-39962 in Nextcloud Server?
To fix CVE-2023-39962, it is recommended to upgrade Nextcloud Server to a version higher than or equal to 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.0.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, or 27.0.1.
- collector/nvd-api
- collector/nvd-index
- agent/author
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/title
- agent/severity
- agent/references
- agent/description
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/nextcloud
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/19.0.0
- version/nextcloud nextcloud server/20.0.0
- version/nextcloud nextcloud server/21.0.0
- version/nextcloud nextcloud server/22.0.0
- version/nextcloud nextcloud server/23.0.0
- version/nextcloud nextcloud server/24.0.0
- version/nextcloud nextcloud server/25.0.0
- version/nextcloud nextcloud server/26.0.0
- version/nextcloud nextcloud server/27.0.0