CVE-2017-0883

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS API issue. A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set. Note that this only affects folders and files that the adversary has at least read-only permissions for.

Published: Apr 5, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-0883
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.4
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N

CWEs:

CWE-732

Affected Software
References

Software	From	Fixed in
nextcloud / nextcloud_server	-	9.0.54.x
nextcloud / nextcloud_server	10.0.2	10.0.2.x

https://hackerone.com/reports/169680
https://nextcloud.com/security/advisory/?id=nc-sa-2017-001

Vulnerability Database

289,697

CVE-2017-0883