Main Vulnerability Database Vulnerabilities #VU103063

Information disclosure in Nextcloud Server and Nextcloud Enterprise Server - CVE-2024-52517

Published: January 20, 2025

Vulnerability identifier: #VU103063

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-52517

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Nextcloud

Affected software:
Nextcloud Server
Nextcloud Enterprise Server

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to global credentials of external storages are sent back to the frontend. An administrator with physical access can gain unauthorized access to sensitive information on the system.

How to mitigate CVE-2024-52517

Install updates from vendor's website.

Sources

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x9q3-c7f8-3rcg
https://github.com/nextcloud/server/pull/48359
https://github.com/nextcloud/server/commit/c45ed55f959ff54f3ea23dd2ae1a5868a075c9fe
https://hackerone.com/reports/2554079

Information disclosure in Nextcloud Server and Nextcloud Enterprise Server - CVE-2024-52517

Detailed vulnerability description

How to mitigate CVE-2024-52517

Sources

Please verify you're human