CVE-2018-3762 - OpenCVE

Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Nextcloud	Nextcloud Server

Configuration 1 [-]

OR	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server::::::::

References

Link	Resource
https://hackerone.com/reports/358339	Third Party Advisory
https://nextcloud.com/security/advisory/?id=nc-sa-2018-002	Broken Link Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2018-07-05T16:00:00

Updated: 2018-07-05T15:57:01

Reserved: 2017-12-28T00:00:00

Link: CVE-2018-3762

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-07-05T16:29:00.470

Modified: 2023-02-28T17:52:20.740

Link: CVE-2018-3762

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Nextcloud Server", "vendor": "Nextcloud", "versions": [{"status": "affected", "version": "<13.0.3, <12.0.8"}]}], "datePublic": "2018-06-21T00:00:00", "descriptions": [{"lang": "en", "value": "Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "Improper Access Control - Generic (CWE-284)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-07-05T15:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-002"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/358339"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2018-3762", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Nextcloud Server", "version": {"version_data": [{"version_value": "<13.0.3, <12.0.8"}]}}]}, "vendor_name": "Nextcloud"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control - Generic (CWE-284)"}]}]}, "references": {"reference_data": [{"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-002", "refsource": "CONFIRM", "url": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-002"}, {"name": "https://hackerone.com/reports/358339", "refsource": "MISC", "url": "https://hackerone.com/reports/358339"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2018-3762", "datePublished": "2018-07-05T16:00:00", "dateReserved": "2017-12-28T00:00:00", "dateUpdated": "2018-07-05T15:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CEE07AB-CFB8-41CB-85E7-06FF3977DD2B", "versionEndExcluding": "12.0.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C66EEA7-59A5-4F3B-ADC3-5A7422B1FBC0", "versionEndExcluding": "13.0.3", "versionStartIncluding": "13.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to."}, {"lang": "es", "value": "Nextcloud Server en versiones anteriores a la 12.0.8 y la 13.0.3 sufre de comprobaciones incorrectas de permisos abandonados para comparticiones entrantes, lo que permite que un usuario pueda seguir solicitando previsualizaciones de archivos a los que no deber\u00eda tener acceso."}], "id": "CVE-2018-3762", "lastModified": "2023-02-28T17:52:20.740", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-05T16:29:00.470", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/358339"}, {"source": "support@hackerone.com", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://nextcloud.com/security/advisory/?id=nc-sa-2018-002"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-281"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "support@hackerone.com", "type": "Secondary"}]}