Improper permission preservation on reshares (NC-SA-2020-012)
27th June 2019
Risk level: Medium
CVSS v3 Base Score: 6.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H)
HackerOne report: 619484
Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.
- Nextcloud Server < 16.0.2 (CVE-2019-15621)
- Nextcloud Server < 15.0.9 (CVE-2019-15621)
- Nextcloud Server < 14.0.13 (CVE-2019-15621)
The error has been fixed.
It is recommended that the Nextcloud Server is upgraded to 16.0.2.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.