CVE-2023-25579 - OpenCVE

Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nextcloud	Nextcloud Server

Configuration 1 [-]

OR	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*

No data.

References

Link	Providers
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-273v-9h7x-p68v
https://github.com/nextcloud/server/pull/35074

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-02-22T18:21:10.573Z

Updated: 2024-08-02T11:25:19.266Z

Reserved: 2023-02-07T17:10:00.743Z

Link: CVE-2023-25579

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-02-22T19:15:11.697

Modified: 2023-03-03T15:09:20.680

Link: CVE-2023-25579

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25579", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-02-07T17:10:00.743Z", "datePublished": "2023-02-22T18:21:10.573Z", "dateUpdated": "2024-08-02T11:25:19.266Z"}, "containers": {"cna": {"title": "Directory traversal in Nextcloud server", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-273v-9h7x-p68v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-273v-9h7x-p68v"}, {"name": "https://github.com/nextcloud/server/pull/35074", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/server/pull/35074"}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": "< 23.0.12", "status": "affected"}, {"version": ">= 24.0.0, < 24.0.8", "status": "affected"}, {"version": ">= 25.0.0, < 25.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-02-22T18:21:10.573Z"}, "descriptions": [{"lang": "en", "value": "Nextcloud server is a self hosted home cloud product. In affected versions the `OC\\Files\\Node\\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue."}], "source": {"advisory": "GHSA-273v-9h7x-p68v", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:25:19.266Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-273v-9h7x-p68v", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-273v-9h7x-p68v"}, {"name": "https://github.com/nextcloud/server/pull/35074", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextcloud/server/pull/35074"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B50151BE-566E-4F7F-BFF5-CDBA5A0AE4B8", "versionEndExcluding": "23.0.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "00D6E726-5ED1-4409-8063-903F9DF581C6", "versionEndExcluding": "20.0.14", "versionStartIncluding": "20.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "3A67058C-45D1-48DD-9247-1F465D0FBC19", "versionEndExcluding": "21.0.9", "versionStartIncluding": "21.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F019288C-0D86-4F4B-B6FE-7D6A5BE4125C", "versionEndExcluding": "22.2.10", "versionStartIncluding": "22.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "61D5D9C2-C03D-4F66-89B5-D5F94EFBCDAB", "versionEndExcluding": "23.0.12", "versionStartIncluding": "23.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7827F3FA-9D17-4915-90CB-B3652E310F0E", "versionEndExcluding": "24.0.8", "versionStartIncluding": "24.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "FF5F1D96-7883-40CD-82A4-13AAF12F53D2", "versionEndExcluding": "24.0.8", "versionStartIncluding": "24.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D5A8D9E-E394-4841-8177-BBC971CAF023", "versionEndExcluding": "25.0.2", "versionStartIncluding": "25.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "A263A4CF-DF40-41F3-BB9A-D03FF96FF6F6", "versionEndExcluding": "25.0.2", "versionStartIncluding": "25.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud server is a self hosted home cloud product. In affected versions the `OC\\Files\\Node\\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue."}], "id": "CVE-2023-25579", "lastModified": "2023-03-03T15:09:20.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-02-22T19:15:11.697", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-273v-9h7x-p68v"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nextcloud/server/pull/35074"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}