Security Advisory

Improper permission preservation on reshares (NC-SA-2020-012)

27th June 2019

Risk level: Medium

CVSS v3 Base Score: 6.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H)

CWE: Improper Preservation of Permissions (CWE-281)

HackerOne report: 619484

Description

Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.

Affected Software

• Nextcloud Server < 16.0.2 (CVE-2019-15621)
• Nextcloud Server < 15.0.9 (CVE-2019-15621)
• Nextcloud Server < 14.0.13 (CVE-2019-15621)

Action Taken

The error has been fixed.

Resolution

It is recommended that the Nextcloud Server is upgraded to 16.0.2.

Acknowledgements

The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Phil Davis - JankariTech Pvt Ltd (phil@jankaritech.com) - Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0.