CVE-2022-31131
Ownership check missing when updating or deleting mail attachments in Nextcloud mail
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com)
Nextcloud mail es una aplicación de correo para el producto Nextcloud home server. Se ha detectado que las versiones de Nextcloud mail anteriores a 1.12.2, no comprueban la propiedad de la cuenta de usuario cuando llevan a cabo tareas relacionadas con los archivos adjuntos del correo. Los archivos adjuntos pueden haber sido expuestos a usuarios del sistema incorrectos. Es recomendado actualizar la aplicación Nextcloud Mail a versión 1.12.2. No se presentan mitigaciones conocidas para este problema. ### Mitigaciones No se presentan mitigaciones disponibles ### Referencias * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### Para más información Si presenta alguna pregunta o comentario sobre este aviso: * Cree un post en [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Clientes: Abra un ticket de soporte en [support.nextcloud.com](https://support.nextcloud.com)
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-18 CVE Reserved
- 2022-07-06 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-09-27 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-287: Improper Authentication
- CWE-639: Authorization Bypass Through User-Controlled Key
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xhv7-5mhv-299j | 2024-08-03 |
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/mail/pull/6600 | 2023-06-29 | |
https://github.com/nextcloud/mail/pull/6600/commits/6dd2527be8d4f6788b449c8a8f5577628b990605 | 2023-06-29 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nextcloud Search vendor "Nextcloud" | Nextcloud Mail Search vendor "Nextcloud" for product "Nextcloud Mail" | < 1.12.2 Search vendor "Nextcloud" for product "Nextcloud Mail" and version " < 1.12.2" | - |
Affected
|