CVE-2024-37884

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-37884

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-37884.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-37884

Aliases

GHSA-xwgx-f37p-xh8c

Published

2024-06-14T15:36:16.181Z

Modified

2025-12-01T02:10:20.453708Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Nextcloud Server's users can delete old versions of read-only shared files

Details

Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.

Database specific

{
    "cwe_ids": [
        "CWE-284"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37884.json"
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d

Fixed

27dcfb94a08990a5b3f40aa9f2fd8bb2039778bf

Database specific

{
    "versions": [
        {
            "introduced": "26.0.0"
        },
        {
            "fixed": "26.0.13"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

add4e4365a4040d2e4e6aa79c0d03c3edd78583c

Fixed

7442a88ac83f00051fbc8592c34819fa9d27764e

Database specific

{
    "versions": [
        {
            "introduced": "27.0.0"
        },
        {
            "fixed": "27.1.8"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

e15fcecaf0d382cebff924ec2b1f5319e130c0e8

Fixed

6403fd1828760bff630ca26203f8cbe9addd3e1d

Database specific

{
    "versions": [
        {
            "introduced": "28.0.0"
        },
        {
            "fixed": "28.0.4"
        }
    ]
}

Affected versions

v26.*

v26.0.0

v26.0.1

v26.0.10

v26.0.10rc1

v26.0.11

v26.0.11rc1

v26.0.11rc2

v26.0.12

v26.0.12rc1

v26.0.12rc2

v26.0.13rc1

v26.0.1rc1

v26.0.2

v26.0.2rc1

v26.0.3

v26.0.3rc1

v26.0.3rc2

v26.0.4

v26.0.4rc1

v26.0.4rc2

v26.0.5

v26.0.5rc1

v26.0.6

v26.0.6rc1

v26.0.7

v26.0.8

v26.0.8rc1

v26.0.8rc2

v26.0.9

v26.0.9rc1

v27.*

v27.0.0

v27.0.1

v27.0.1rc1

v27.0.1rc2

v27.0.2

v27.0.2rc1

v27.1.0

v27.1.0beta2

v27.1.0beta3

v27.1.0rc1

v27.1.0rc2

v27.1.0rc3

v27.1.0rc4

v27.1.1

v27.1.2

v27.1.2rc1

v27.1.3

v27.1.3rc1

v27.1.3rc2

v27.1.4

v27.1.4rc1

v27.1.5

v27.1.5rc1

v27.1.6

v27.1.6rc1

v27.1.6rc2

v27.1.7

v27.1.7rc1

v27.1.7rc2

v27.1.8rc1

v28.*

v28.0.0

v28.0.1

v28.0.1rc1

v28.0.2

v28.0.2rc1

v28.0.2rc2

v28.0.2rc3

v28.0.2rc4

v28.0.2rc5

v28.0.3

v28.0.3rc1

v28.0.3rc2

v28.0.4rc1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-37884.json"