CVE-2016-9464

MEDIUM

Nextcloud Server < 9.0.54 - Improper Authorization

Title source: rule

Description

Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper authorization check on removing shares. The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation simply unshared the file to all users in the group.

References (7)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97287

[Issue Tracking, Patch, Third Party Advisory] https://github.com/nextcloud/server/commit/3387e5d00fcf6b2ea6b285a091e5743f545e7202

[Issue Tracking, Patch, Third Party Advisory] https://github.com/nextcloud/server/commit/7289cb5ec0b812992ab0dfb889744b94bc0994f0

View Patch ZIP pw:eip

[Issue Tracking, Patch, Third Party Advisory] https://github.com/nextcloud/server/commit/a5471b4a3e3f30e99e4de39c97c0c3b3c2f1618f

[Issue Tracking, Patch, Third Party Advisory] https://github.com/nextcloud/server/commit/e2c4f4f9aa11bc92e8f2212cce73841b922187e8

[Exploit, Third Party Advisory] https://hackerone.com/reports/153905

[Patch, Vendor Advisory] https://nextcloud.com/security/advisory/?id=nc-sa-2016-007

Scores

CVSS v3 4.3

EPSS 0.0029

EPSS Percentile 52.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-285

Status published

Affected Products (3)

nextcloud/nextcloud_server < 9.0.54

nextcloud/nextcloud_server

n/a/Nextcloud Server Nextcloud Server before 9.0.54 and 10.0.0 < Nextcloud Server Nextcloud Server before 9.0.54 and 10.0.0

Timeline

Published Mar 28, 2017

Tracked Since Feb 18, 2026