CVE-2024-52514

Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 or 29.0.0.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xj	Vendor Advisory
https://github.com/nextcloud/server/commit/5fffbcfe8650eab75b00e8d188fbc95b0e43f3a8	Patch
https://github.com/nextcloud/server/pull/44889	Issue Tracking
https://hackerone.com/reports/2447316	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*

History

01 Oct 2025, 17:49

Type	Values Removed	Values Added
First Time		Nextcloud nextcloud Server Nextcloud
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::* cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xj -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xj - Vendor Advisory
References	~~() https://github.com/nextcloud/server/commit/5fffbcfe8650eab75b00e8d188fbc95b0e43f3a8 -~~	() https://github.com/nextcloud/server/commit/5fffbcfe8650eab75b00e8d188fbc95b0e43f3a8 - Patch
References	~~() https://github.com/nextcloud/server/pull/44889 -~~	() https://github.com/nextcloud/server/pull/44889 - Issue Tracking
References	~~() https://hackerone.com/reports/2447316 -~~	() https://hackerone.com/reports/2447316 - Issue Tracking

18 Nov 2024, 17:11

Type	Values Removed	Values Added
Summary		(es) Nextcloud Server es un sistema de nube personal alojado por uno mismo. Después de que un usuario reciba un recurso compartido con algunos archivos dentro que están bloqueados por el control de acceso a archivos, el usuario aún podrá copiar la carpeta intermedia dentro de Nextcloud, lo que le permitirá acceder potencialmente a los archivos bloqueados después, según las reglas de control de acceso del usuario. Se recomienda que Nextcloud Server se actualice a 27.1.9, 28.0.5 o 29.0.0 y que Nextcloud Enterprise Server se actualice a 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 o 29.0.0.

15 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 18:15

Updated : 2025-10-01 17:49

NVD link : CVE-2024-52514

Mitre link : CVE-2024-52514

CVE.ORG link : CVE-2024-52514

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

4.1 /10