CVE-2022-39329

LOW

Nextcloud Server and Nextcloud Enterprise Server < 23.0.9 - Unauthenticated Information Exposure

Title source: llm

Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available.

References (3)

Core 3

Core References

Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f3p-rcm5-mrg3

Patch, Third Party Advisory

https://github.com/nextcloud/server/pull/33643

Permissions Required, Third Party Advisory

https://hackerone.com/reports/1675014

Scores

CVSS v3 3.5

EPSS 0.0026

EPSS Percentile 49.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284 CWE-862 CWE-285

Status published

Products (2)

nextcloud/nextcloud_enterprise_server < 23.0.9

nextcloud/nextcloud_server < 23.0.9

Published Oct 27, 2022

Tracked Since Feb 18, 2026