Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-52514

Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 or 29.0.0.

Published

2024-11-15T18:15:30.370

Last Modified

2025-10-01T17:49:30.300

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.1 (MEDIUM)

Weaknesses

Type: Secondary
CWE-284
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 21.0.9.18	Yes
Application	nextcloud	nextcloud_server	< 22.2.10.23	Yes
Application	nextcloud	nextcloud_server	< 23.0.12.18	Yes
Application	nextcloud	nextcloud_server	< 24.0.12.14	Yes
Application	nextcloud	nextcloud_server	< 25.0.13.9	Yes
Application	nextcloud	nextcloud_server	< 26.0.13.3	Yes
Application	nextcloud	nextcloud_server	< 27.1.9	Yes
Application	nextcloud	nextcloud_server	< 27.1.9	Yes
Application	nextcloud	nextcloud_server	< 28.0.5	Yes
Application	nextcloud	nextcloud_server	< 28.0.5	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xj Vendor Advisory ([email protected])
https://github.com/nextcloud/server/commit/5fffbcfe8650eab75b00e8d188fbc95b0e43f3a8 Patch ([email protected])
https://github.com/nextcloud/server/pull/44889 Issue Tracking ([email protected])
https://hackerone.com/reports/2447316 Issue Tracking ([email protected])