CVE-2024-22402

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-22402

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22402.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-22402

Aliases

GHSA-v3qw-7vgv-2fxj

Published

2024-01-18T20:23:54Z

Modified

2025-10-15T07:27:58.297425Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Improper handling of request URLs in Nextcloud Guests app allows guest users to bypass app allowlist

Details

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/nextcloud/guests

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/guests
Events: Introduced

0114d0d79abd714f1e3077b68f50b99d0f218794

Fixed

303df1d1cb9431b6b7df28cb99dbaace4783142b

Type: GIT
Repo: https://github.com/nextcloud/guests
Events: Introduced

6d9a2f093e2d291c8865bbe83c04c11cd462630d

Fixed

3e2eaded2a06fd8b021c54e6f2fb26be3a4cae65

Type: GIT
Repo: https://github.com/nextcloud/guests
Events: Introduced

acbc6b536da09943464fd156f49f4b4e105bde1a

Fixed

119d106c2c7c30a9379b8b509159a91272eceed4

Affected versions

v2.*

v2.4.0

v2.5.0