CVE-2022-24889

low-risk
Published 2022-04-27

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1.

Do I need to act?

-
0.16% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.4/10 Low
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Nextcloud

References (8)

Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5vw6-6...
Third Party Advisory https://github.com/nextcloud/server/pull/30615
Exploit https://hackerone.com/reports/1403614
Third Party Advisory https://security.gentoo.org/glsa/202208-17
Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5vw6-6...
Third Party Advisory https://github.com/nextcloud/server/pull/30615
Exploit https://hackerone.com/reports/1403614
Third Party Advisory https://security.gentoo.org/glsa/202208-17
19
/ 100
low-risk
Severity 13/34 · Low
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal