CVE-2024-30247 - Vulnerability Details - OpenCVE

NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be used by anyone with access to NextCloudPi web-panel, no authentication is required. It is recommended that the NextCloudPi is upgraded to 1.53.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01339.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Nextcloud	Nextcloudpi

Configuration 1 [-]

cpe:2.3:a:nextcloud:nextcloudpi:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-28178	NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be used by anyone with access to NextCloudPi web-panel, no authentication is required. It is recommended that the NextCloudPi is upgraded to 1.53.1.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-29T15:57:57.034Z

Updated: 2024-08-02T01:32:05.394Z

Reserved: 2024-03-26T12:52:00.933Z

Link: CVE-2024-30247

Vulnrichment

Updated: 2024-07-31T20:54:44.109Z

NVD

Status : Analyzed

Published: 2024-03-29T16:15:09.130

Modified: 2025-05-07T17:35:00.107

Link: CVE-2024-30247

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-30247", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-26T12:52:00.933Z", "datePublished": "2024-03-29T15:57:57.034Z", "dateUpdated": "2024-08-02T01:32:05.394Z"}, "containers": {"cna": {"title": "Command Injection as root in NextCloudPi web panel", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982"}], "affected": [{"vendor": "nextcloud", "product": "nextcloudpi", "versions": [{"version": "< 1.53.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-29T15:57:57.034Z"}, "descriptions": [{"lang": "en", "value": "NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be used by anyone with access to NextCloudPi web-panel, no authentication is required. It is recommended that the NextCloudPi is upgraded to 1.53.1."}], "source": {"advisory": "GHSA-m597-72v7-j982", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "nextcloud", "product": "nextcloudpi", "cpes": ["cpe:2.3:a:nextcloud:nextcloudpi:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.53.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-31T20:24:32.073195Z", "id": "CVE-2024-30247", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T20:55:53.041Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:32:05.394Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-30247", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-31T20:24:32.073195Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nextcloud:nextcloudpi:*:*:*:*:*:*:*:*"], "vendor": "nextcloud", "product": "nextcloudpi", "versions": [{"status": "affected", "version": "0", "lessThan": "1.53.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T20:54:44.109Z"}}], "cna": {"title": "Command Injection as root in NextCloudPi web panel", "source": {"advisory": "GHSA-m597-72v7-j982", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nextcloud", "product": "nextcloudpi", "versions": [{"status": "affected", "version": "< 1.53.1"}]}], "references": [{"url": "https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982", "name": "https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be used by anyone with access to NextCloudPi web-panel, no authentication is required. It is recommended that the NextCloudPi is upgraded to 1.53.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-29T15:57:57.034Z"}}}, "cveMetadata": {"cveId": "CVE-2024-30247", "state": "PUBLISHED", "dateUpdated": "2024-07-31T20:55:53.041Z", "dateReserved": "2024-03-26T12:52:00.933Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-29T15:57:57.034Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloudpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9B70CFA-3DDF-4C93-8A9E-26F1C3AF496F", "versionEndExcluding": "1.53.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be used by anyone with access to NextCloudPi web-panel, no authentication is required. It is recommended that the NextCloudPi is upgraded to 1.53.1."}, {"lang": "es", "value": "NextcloudPi es una imagen lista para usar para M\u00e1quinas Virtuales, Raspberry Pi, Odroid HC1, Rock64 y otras placas. Una vulnerabilidad de inyecci\u00f3n de comandos en NextCloudPi permite la ejecuci\u00f3n de comandos como usuario root a trav\u00e9s del panel web de NextCloudPi. Debido a una mala configuraci\u00f3n de seguridad, cualquier persona con acceso al panel web de NextCloudPi puede utilizarlo; no se requiere autenticaci\u00f3n. Se recomienda actualizar NextCloudPi a 1.53.1."}], "id": "CVE-2024-30247", "lastModified": "2025-05-07T17:35:00.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-29T16:15:09.130", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}