Security updates for Nextcloud: Attackers can delete data

Three vulnerabilities (CVE-2023-39963, CVE-2023-39962, CVE-2023-39957) are rated with threat level “high”.

Fixed in Server (Nextcloud) 25.0.9, 26.0.4, 27.0.1

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone


thanks for the update

this HIGH severance is more of an availability issue. didn’t look at this in detail before going with the headline you saw. It’s technically correct, but not the data on disk that you’d think

A missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim.

small difference.

this should read “Path traversal allows tricking the Talk Android app into writing files into the nextcloud users own top-level directory” - not as severe imo. You’d overwrite data maybe


Ok, but CVE-2023-39962 not depends on stealing a session. Mounts can be deleted and “remove all data from database related to the storage based on its id”

“Any (non-admin) user from an instance can destroy any (user and/or global) external filesystem” but surely it is beyond my knowledge what an “instance” involves.

PS: If every user has only its own instance probably nothing to worry, right?

yes – but it’s only a mountpoint you delete and all database references of it - it’s not about the filesystem data of the mount itself - what the layman will understand when reading “Angreifer können Daten löschen”.


Filesystem can be unmounted by anyone

All I’m debating is do you spill the coffee while reading the CVE or do you finish drinking it. But yes, high, not critical. This kind of CVE let’s you live another day without backup of the now umounted filesystem. Just have db backup. Sorry it’s friday. Good weekend sysadmins!

1 Like

yep! the high-labeled vulns here are all authenticated. If an instance is used single-user (or family even), there’s an argument to put it all into a vpn. To allow for file share then or invitiing talk guests, geoip-allow-by-country slows down attackers when it is an unauthenticated vuln.

This topic was automatically closed after 30 days. New replies are no longer allowed.