CVE-2023-39962

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-39962

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39962.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-39962

Aliases

GHSA-xwxx-2752-w3xm

Published

2023-08-10T17:23:50.261Z

Modified

2025-11-29T07:55:42.950453Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVSS Calculator

Summary

Users can delete external storage mount points

Details

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39962.json",
    "cwe_ids": [
        "CWE-284"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

20ea9a25353129b56d46951fe7d23939665ab2b2

Fixed

fbc4a4aad97572da902fef0ee61cbd49bba58365

Database specific

{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d

Fixed

318ac2714fafa63dcd90805a5cb8ee9d60b58f53

Database specific

{
    "versions": [
        {
            "introduced": "26.0.0"
        },
        {
            "fixed": "26.0.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

add4e4365a4040d2e4e6aa79c0d03c3edd78583c

Fixed

e9174a418927eade3a1e6261978b27abdfdfcef6

Database specific

{
    "versions": [
        {
            "introduced": "27.0.0"
        },
        {
            "fixed": "27.0.1"
        }
    ]
}

Affected versions

v25.*

v25.0.0

v25.0.1

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5

v25.0.5rc1

v25.0.6

v25.0.6rc1

v25.0.7

v25.0.7rc1

v25.0.8

v25.0.8rc1

v25.0.8rc2

v25.0.9rc1

v25.0.9rc2

v26.*

v26.0.0

v26.0.1

v26.0.1rc1

v26.0.2

v26.0.2rc1

v26.0.3

v26.0.3rc1

v26.0.3rc2

v26.0.4rc1

v26.0.4rc2

v27.*

v27.0.0

v27.0.1rc1

v27.0.1rc2