CVE-2023-30539

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-30539

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30539.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-30539

Aliases

GHSA-3m2f-v8x7-9w99

Published

2023-04-17T21:27:29.405Z

Modified

2026-04-10T04:57:53.369965Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Users can set up workflows using restricted and invisible system tags in Nextcloud

Details

Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enterprise Server to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5, and the Nextcloud Files automated tagging app to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or 1.16.1. Users unable to upgrade should disable all workflow related apps. Users are advised to upgrade.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/30xxx/CVE-2023-30539.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284"
    ]
}

References

Affected packages

Git / github.com/nextcloud/files_automatedtagging

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/files_automatedtagging

Events

Introduced

f31356b5ae5d656906efc7ab8bcbf155cf340477

Fixed

fdf348e1d70204580da50721edbf6b5abfeab38f

Introduced

06e55c5060f2a827d5878efd865081c887a1a9ae

Fixed

f578002c28632c6f8e27c8b3ad01f65a9a84c76a

Introduced

Last affected

5297ae48b7709e2c49f40b5b211f4cca58f426a2

Introduced

Last affected

346a676b417f43a3d14d05c5055b04e8e4188335

Introduced

Last affected

bf2fda767ffe44caa38373c15d6e96bd999c1ddf

Introduced

Last affected

36b3486ced83ee56f1d83d33c2acbbec2163e44b

Database specific

{
    "versions": [
        {
            "introduced": "1.14.0"
        },
        {
            "fixed": "1.14.2"
        },
        {
            "introduced": "1.15.0"
        },
        {
            "fixed": "1.15.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.11.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.12.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.13.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.16.0"
        }
    ]
}

Affected versions

v1.*

v1.10.0

v1.11.0

v1.12.0

v1.13.0

v1.14.0

v1.14.1

v1.15.0

v1.15.1

v1.15.2

v1.16.0

v1.2.2

v1.3.0

v1.4.0

v1.6.0

v1.8.0

v1.8.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30539.json"

Git / github.com/nextcloud/server

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/server
Events: Introduced

20ea9a25353129b56d46951fe7d23939665ab2b2

Fixed

28add7e896b24fee2714b21a12151e4042ab677c

Affected versions

v25.*

v25.0.0

v25.0.1

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30539.json"