CVE-2022-36074

{"id": "CVE-2022-36074", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2022-09-15T22:15:11.303", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqgm-f748-g76v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/server/pull/32941", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue."}, {"lang": "es", "value": "Nextcloud server es un producto de nube personal de c\u00f3digo abierto. Las versiones afectadas de este paquete son vulnerables a una Exposici\u00f3n de Informaci\u00f3n que falla al eliminar el encabezado de autorizaci\u00f3n en el descenso de HTTP. Esto puede conllevar a una exposici\u00f3n del acceso a la cuenta y su compromiso. Es recomendado actualizar el servidor Nextcloud a versi\u00f3n 23.0.7 o 24.0.3. Es recomendado que Nextcloud Enterprise Server sea actualizado a versi\u00f3n 22.2.11, 23.0.7 o 24.0.3. No se presentan mitigaciones conocidas para este problema"}], "lastModified": "2023-07-21T21:01:21.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "25E67FEF-5998-4CEF-95CC-7039947F763F", "versionEndExcluding": "22.2.11"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83FDE312-401A-48C0-BFA0-F3439571CB40", "versionEndExcluding": "23.0.7", "versionStartIncluding": "23.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89DC7F6E-DF99-4A47-9038-F225EDA90298", "versionEndExcluding": "24.0.3", "versionStartIncluding": "24.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B33B876-3E32-47E7-A6F0-E23A09AC2648", "versionEndExcluding": "23.0.7"}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "498C4D8E-C26E-4D82-BFDB-3CC84C188714", "versionEndExcluding": "24.0.3", "versionStartIncluding": "24.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}