Missing Authorization in Nextcloud Server

#VU30326 Missing Authorization in Nextcloud Server

Published: 2020-03-20 | Updated: 2020-07-17

Vulnerability identifier: #VU30326

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8139

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Nextcloud Server
Client/Desktop applications / Messaging software

Vendor: Nextcloud

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Nextcloud Server: 18.0.0

External links
http://hackerone.com/reports/788257
http://nextcloud.com/security/advisory/?id=NC-SA-2020-015

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Missing Authorization in Nextcloud Server