CVE-2023-39952

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-39952

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39952.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-39952

Aliases

GHSA-cq8w-v4fh-4rjq

Published

2023-08-10T13:50:50.528Z

Modified

2025-11-29T14:34:01.080793Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Advanced permissions not respected when copying entire group folders

Details

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39952.json",
    "cwe_ids": [
        "CWE-284"
    ]
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

20ea9a25353129b56d46951fe7d23939665ab2b2

Fixed

82f744bb016b059a55d1c6c476a665029e55cedc

Database specific

{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.8"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d

Fixed

5348e530ea6c61e443cf4f5cab7f4ed97ddd14d3

Database specific

{
    "versions": [
        {
            "introduced": "26.0.0"
        },
        {
            "fixed": "26.0.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

add4e4365a4040d2e4e6aa79c0d03c3edd78583c

Fixed

e9174a418927eade3a1e6261978b27abdfdfcef6

Database specific

{
    "versions": [
        {
            "introduced": "27.0.0"
        },
        {
            "fixed": "27.0.1"
        }
    ]
}

Affected versions

v25.*

v25.0.0

v25.0.1

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5

v25.0.5rc1

v25.0.6

v25.0.6rc1

v25.0.7

v25.0.7rc1

v25.0.8rc1

v25.0.8rc2

v26.*

v26.0.0

v26.0.1

v26.0.1rc1

v26.0.2

v26.0.2rc1

v26.0.3rc1

v26.0.3rc2

v27.*

v27.0.0

v27.0.1rc1

v27.0.1rc2