Все бюллетени/sisyphus/ALT-PU-2023-1055-2
ALT-PU-2023-1055-2

Обновление пакета nextcloud в ветке sisyphus

Версия25.0.2-alt1
Задание#313364
Опубликовано2026-02-04
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (7)

BDU:2023-02152
HIGH7.5

Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud, связанная с недостатками контроля доступа, позволяющая нарушителю получить несанкционированный доступ к ограниченным функциям

Опубликовано: 2023-04-20
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
Ссылки
BDU:2024-00709
MEDIUM5.3

Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, связанная с неправильным контролем доступа, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2024-01-25
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
Ссылки
CVE-2022-41970
MEDIUM5.3

Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds are available.

Опубликовано: 2022-12-01Изменено: 2024-11-21
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Ссылки
CVE-2023-25159
MEDIUM5.3

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocuments) App 6.x prior to 6.3.1 and 7.x prior to 7.0.1 have previews accessible without a watermark. The download should be hidden and the watermark should get applied. This issue is fixed in Nextcloud Server 25.0.1 and 24.0.8, Nextcloud Enterprise Server 25.0.1 and 24.0.8, and Nextcloud Office (Richdocuments) App 7.0.1 (for 25) and 6.3.1 (for 24). No known workarounds are available.

Опубликовано: 2023-02-13Изменено: 2024-11-21
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Ссылки
CVE-2023-25161
MEDIUM5.3

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.

Опубликовано: 2023-02-13Изменено: 2024-11-21
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ссылки
CVE-2023-25579
HIGH7.5

Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue.

Опубликовано: 2023-02-22Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Ссылки
CVE-2023-25821
HIGH7.5

Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available.

Опубликовано: 2023-02-25Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки