CVE-2022-36075

Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access Control app is upgraded to 1.12.2, 1.13.1 or 1.14.1. There are no known workarounds for this issue

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/files_accesscontrol/pull/248	Patch Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:files_access_control::::::::
	cpe:2.3:a:nextcloud:files_access_control:1.13.0:::::::*
	cpe:2.3:a:nextcloud:files_access_control:1.14.0:::::::*

History

19 Sep 2022, 19:16

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nextcloud:files_access_control:1.14.0:::::::* cpe:2.3:a:nextcloud:files_access_control:1.13.0:::::::* cpe:2.3:a:nextcloud:files_access_control::::::::
CWE	~~CWE-200~~	CWE-269
References	~~(CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w -~~	(CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w - Third Party Advisory
References	~~(MISC) https://github.com/nextcloud/files_accesscontrol/pull/248 -~~	(MISC) https://github.com/nextcloud/files_accesscontrol/pull/248 - Patch, Third Party Advisory
First Time		Nextcloud Nextcloud files Access Control
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3

15 Sep 2022, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-15 22:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-36075

Mitre link : CVE-2022-36075

CVE.ORG link : CVE-2022-36075

JSON object : View

Products Affected

nextcloud

files_access_control

CWE

CWE-269

Improper Privilege Management

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2022-36075", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.0}]}, "published": "2022-09-15T22:15:11.387", "references": [{"url": "https://github.com/nextcloud/files_accesscontrol/pull/248", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4m73-g7v7-v62w", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access Control app is upgraded to 1.12.2, 1.13.1 or 1.14.1. There are no known workarounds for this issue"}, {"lang": "es", "value": "Nextcloud files access control es una aplicaci\u00f3n de nextcloud para administrar el control de acceso a archivos. Los usuarios con acceso limitado pueden visualizar los nombres de los archivos en determinados casos en los que no presentan privilegios para hacerlo. Este problema ha sido abordado y es recomendado actualizar la aplicaci\u00f3n Nextcloud Files Access Control a versiones 1.12.2, 1.13.1 o 1.14.1. No se presentan mitigaciones conocidas para este problema"}], "lastModified": "2022-09-19T19:16:07.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:files_access_control:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "716CEADA-BD5C-405E-876E-A8CD5E8AE41C", "versionEndExcluding": "1.12.2"}, {"criteria": "cpe:2.3:a:nextcloud:files_access_control:1.13.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8CA8DA50-4BC3-473D-BB0B-77174B7C7516"}, {"criteria": "cpe:2.3:a:nextcloud:files_access_control:1.14.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "545DD0A9-E241-481E-969D-C1CF03B2EA52"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}