Main Vulnerability Database Vulnerabilities #VU30392

Improper Preservation of Permissions in Nextcloud Server - CVE-2019-15621

Published: February 4, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30392

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-15621

CWE-ID:

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Nextcloud

Affected software:
Nextcloud Server

Detailed vulnerability description

The vulnerability allows a remote authenticated user to manipulate data.

Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.

How to mitigate CVE-2019-15621

Install update from vendor's website.

Sources

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html
https://hackerone.com/reports/619484
https://nextcloud.com/security/advisory/?id=NC-SA-2020-012

Improper Preservation of Permissions in Nextcloud Server - CVE-2019-15621

Detailed vulnerability description

How to mitigate CVE-2019-15621

Sources

Please verify you're human