SB2017040509 - Incorrect permission assignment for critical resource in Nextcloud Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017040509

SB2017040509 - Incorrect permission assignment for critical resource in Nextcloud Server

Published: April 5, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017040509
Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Incorrect permission assignment for critical resource (CVE-ID: CVE-2017-0883)

The vulnerability allows a remote authenticated user to read and manipulate data.

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS API issue. A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set. Note that this only affects folders and files that the adversary has at least read-only permissions for.


Remediation

Install update from vendor's website.

References