CVE-2024-37887

Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595	Vendor Advisory
https://github.com/nextcloud/server/pull/45309	Patch
https://hackerone.com/reports/2479325	Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595	Vendor Advisory
https://github.com/nextcloud/server/pull/45309	Patch
https://hackerone.com/reports/2479325	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:29.0.0::::-:::
	cpe:2.3:a:nextcloud:nextcloud_server:29.0.0::::enterprise:::

History

21 Nov 2024, 09:24

Type	Values Removed	Values Added
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595 - Vendor Advisory~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595 - Vendor Advisory
References	~~() https://github.com/nextcloud/server/pull/45309 - Patch~~	() https://github.com/nextcloud/server/pull/45309 - Patch
References	~~() https://hackerone.com/reports/2479325 - Issue Tracking~~	() https://hackerone.com/reports/2479325 - Issue Tracking

08 Aug 2024, 16:33

Type	Values Removed	Values Added
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595 -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595 - Vendor Advisory
References	~~() https://github.com/nextcloud/server/pull/45309 -~~	() https://github.com/nextcloud/server/pull/45309 - Patch
References	~~() https://hackerone.com/reports/2479325 -~~	() https://hackerone.com/reports/2479325 - Issue Tracking
CPE		cpe:2.3:a:nextcloud:nextcloud_server:::::-:::* cpe:2.3:a:nextcloud:nextcloud_server:29.0.0::::-::: cpe:2.3:a:nextcloud:nextcloud_server:29.0.0::::enterprise::: cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
CWE		NVD-CWE-noinfo
First Time		Nextcloud Nextcloud nextcloud Server

17 Jun 2024, 12:42

Type	Values Removed	Values Added
Summary		(es) Nextcloud Server es un sistema de nube personal autohospedado. Los participantes pueden leer las excepciones de recurrencia de los eventos privados del calendario compartido. Se recomienda que Nextcloud Server se actualice a 27.1.10 o 28.0.6 o 29.0.1 y que Nextcloud Enterprise Server se actualice a 27.1.10 o 28.0.6 o 29.0.1.

14 Jun 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-14 16:15

Updated : 2024-11-21 09:24

NVD link : CVE-2024-37887

Mitre link : CVE-2024-37887

CVE.ORG link : CVE-2024-37887

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2024-37887", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}]}, "published": "2024-06-14T16:15:14.237", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/server/pull/45309", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/2479325", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nextcloud/server/pull/45309", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/2479325", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1."}, {"lang": "es", "value": "Nextcloud Server es un sistema de nube personal autohospedado. Los participantes pueden leer las excepciones de recurrencia de los eventos privados del calendario compartido. Se recomienda que Nextcloud Server se actualice a 27.1.10 o 28.0.6 o 29.0.1 y que Nextcloud Enterprise Server se actualice a 27.1.10 o 28.0.6 o 29.0.1."}], "lastModified": "2024-11-21T09:24:28.407", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "F38721C1-838D-4E12-80EA-4A275C457A97", "versionEndExcluding": "27.1.10", "versionStartIncluding": "27.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "54300595-D23D-4F77-8F68-C6B60D6CB0D2", "versionEndExcluding": "27.1.10", "versionStartIncluding": "27.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "BE4CD3B0-788F-41F8-98A9-388853A84D0C", "versionEndIncluding": "28.0.6", "versionStartIncluding": "28.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "84E246F1-39F9-4AAB-9049-4002E5EF539A", "versionEndExcluding": "28.0.6", "versionStartIncluding": "28.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:29.0.0:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "45508E90-8438-4A52-900E-A2154096E31C"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:29.0.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "8573835A-33F1-4598-83F4-EBCE44EDE95D"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

3.5 /10