CVE-2022-24889

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1.

Published: Apr 27, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-24889
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-345

Affected Software
References

Software	From	Fixed in
nextcloud / nextcloud_server	23.0.0	23.0.1
nextcloud / nextcloud_server	22.0.0	22.2.4
nextcloud / nextcloud_server	-	21.0.8

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5vw6-6prg-gvw6
https://github.com/nextcloud/server/pull/30615
https://hackerone.com/reports/1403614
https://security.gentoo.org/glsa/202208-17

Vulnerability Database

289,697

CVE-2022-24889