CVE-2023-28643

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-28643

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28643.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-28643

Aliases

GHSA-hhq4-4pr8-wm27

Published

2023-03-30T18:31:31.609Z

Modified

2026-06-15T12:19:15.126301931Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Potential share collision for recipients when caching is enabled in nextcloud server

Details

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to {name} (2). It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28643.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-706"
    ]
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

5f37aacb3194d51503aaa3529ae8f676b32a25d7

Fixed

b4899ddee19c94db5d65c1f813fad51541ae1347

Introduced

20ea9a25353129b56d46951fe7d23939665ab2b2

Fixed

494a0c1073b460d4d2a5c03ff3567fc388b91e36

Database specific

{
    "extracted_events": [
        {
            "introduced": "24.0.0"
        },
        {
            "fixed": "24.0.9"
        },
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.3"
        }
    ],
    "cpe": [
        "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
        "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*"
    ],
    "source": "CPE_RANGE"
}

Affected versions

v24.*

v24.0.0

v24.0.1

v24.0.1rc1

v24.0.2

v24.0.2rc1

v24.0.3

v24.0.3rc1

v24.0.3rc2

v24.0.4

v24.0.4rc1

v24.0.5

v24.0.5rc1

v24.0.6

v24.0.6rc1

v24.0.7

v24.0.7rc1

v24.0.8

v24.0.8rc1

v24.0.8rc2

v24.0.9rc1

v24.0.9rc2

v25.*

v25.0.0

v25.0.1

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3rc1

v25.0.3rc2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28643.json"