Headline
CVE-2022-24889: Force an admin to install recommended applications
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling “recommended” apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1.
Package
Server (Nextcloud)
Affected versions
< 21.0.8 , < 22.2.4, < 23.0.1
Patched versions
21.0.8 , 22.2.4, 23.0.1
Description
Impact
It is possible to trick administrators into enabling recommended apps for the Nextcloud server.
Patches
It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1
Workarounds
No workaround available
References
- HackerOne
- PullRequest
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at support.nextcloud.com
Related news
Gentoo Linux Security Advisory 202208-17 - Multiple vulnerabilities have been found in Nextcloud, the worst of which could result in denial of service. Versions less than 23.0.4 are affected.