CVE-2016-9464

low-risk
Published 2017-03-28

Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper authorization check on removing shares. The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation simply unshared the file to all users in the group.

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Nextcloud

References (14)

Third Party Advisory http://www.securityfocus.com/bid/97287
Issue Tracking https://github.com/nextcloud/server/commit/3387e5d00fcf6b2ea6b285a091e5743f545e7...
Issue Tracking https://github.com/nextcloud/server/commit/7289cb5ec0b812992ab0dfb889744b94bc099...
Issue Tracking https://github.com/nextcloud/server/commit/a5471b4a3e3f30e99e4de39c97c0c3b3c2f16...
Issue Tracking https://github.com/nextcloud/server/commit/e2c4f4f9aa11bc92e8f2212cce73841b92218...
Exploit https://hackerone.com/reports/153905
Patch https://nextcloud.com/security/advisory/?id=nc-sa-2016-007
Third Party Advisory http://www.securityfocus.com/bid/97287
Issue Tracking https://github.com/nextcloud/server/commit/3387e5d00fcf6b2ea6b285a091e5743f545e7...
Issue Tracking https://github.com/nextcloud/server/commit/7289cb5ec0b812992ab0dfb889744b94bc099...
Issue Tracking https://github.com/nextcloud/server/commit/a5471b4a3e3f30e99e4de39c97c0c3b3c2f16...
Issue Tracking https://github.com/nextcloud/server/commit/e2c4f4f9aa11bc92e8f2212cce73841b92218...
Exploit https://hackerone.com/reports/153905
Patch https://nextcloud.com/security/advisory/?id=nc-sa-2016-007
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 7/34 · Low