Description
Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vqgm-f748-g76v
Patch, Third Party Advisory x_refsource_misc
https://github.com/nextcloud/server/pull/32941
Scores
CVSS v3
6.4
EPSS
0.0017
EPSS Percentile
37.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-200
CWE-863
Status
published
Products (2)
nextcloud/nextcloud_enterprise_server
< 22.2.11
nextcloud/nextcloud_server
< 23.0.7
Published
Sep 15, 2022
Tracked Since
Feb 18, 2026