Nextcloud Server 22.x-24.x Group Removal Shares Not Revoked
CVE-2024-52516 Published on November 15, 2024
Nextcloud Server's shares are not removed when user is limited to share with in their groups and being removed from one of them
Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6.
Vulnerability Analysis
CVE-2024-52516 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2024-52516
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-52516 are published in these products:
Affected Versions
nextcloud security-advisories:- Version >= 28.0.0, < 28.0.9 is affected.
- Version >= 29.0.0, < 29.0.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.