Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-36074

Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.

Published

2022-09-15T22:15:11.303

Last Modified

2024-11-21T07:12:19.460

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_enterprise_server	< 22.2.11	Yes
Application	nextcloud	nextcloud_enterprise_server	< 23.0.7	Yes
Application	nextcloud	nextcloud_enterprise_server	< 24.0.3	Yes
Application	nextcloud	nextcloud_server	< 23.0.7	Yes
Application	nextcloud	nextcloud_server	< 24.0.3	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqgm-f748-g76v Third Party Advisory ([email protected])
https://github.com/nextcloud/server/pull/32941 Patch, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqgm-f748-g76v Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/pull/32941 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)