Bug 2187915 (CVE-2023-25817)

Summary: CVE-2023-25817 nextcloud-server: delete permissions are not saved when creating public share
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud-server 24.0.9 Doc Type: ---
Doc Text:
A user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-19 11:35:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2187918, 2187919, 2187920, 2187921, 2187922, 2187923, 2187924, 2187925, 2187926, 2187927, 2187928    
Bug Blocks:    

Description TEJ RATHI 2023-04-19 06:24:11 UTC 
Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known workarounds for this vulnerability.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8v5c-f752-fgpv
https://github.com/nextcloud/server/pull/33941
Comment 1 TEJ RATHI 2023-04-19 06:33:11 UTC 
Created nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187918]


Created nextcloud:23/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2187919]
Affects: fedora-all [bug 2187922]


Created nextcloud:24/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2187920]
Affects: fedora-all [bug 2187923]


Created nextcloud:nextcloud-18/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187924]


Created nextcloud:nextcloud-19/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187925]


Created nextcloud:nextcloud-21/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187926]


Created nextcloud:nextcloud-22/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2187921]
Affects: fedora-all [bug 2187927]


Created nextcloud:nextcloud-stable/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2187928]
Comment 2 Product Security DevOps Team 2023-04-19 11:34:59 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.