CVE-2024-52517

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-52517
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52517.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-52517
Aliases
  • GHSA-x9q3-c7f8-3rcg
Published
2024-11-15T16:49:40.993Z
Modified
2026-04-02T12:23:29.155342Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Nextcloud Server's global credentials of external storages are sent back to the frontend
Details

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52517.json",
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/server
Events
Introduced
e15fcecaf0d382cebff924ec2b1f5319e130c0e8
Fixed
c3f0921c1ec2bd99ed854e316e488b897ac251fa
Database specific 
{
    "versions": [
        {
            "introduced": "28.0.0"
        },
        {
            "fixed": "28.0.11"
        }
    ]
}
Type
GIT
Repo
https://github.com/nextcloud/server
Events
Introduced
36ae775aa7c9af22bf33645a2d8807206ec6c85f
Fixed
c553bc228e1e625920faf49a2eb4e1046f9c83c2
Database specific 
{
    "versions": [
        {
            "introduced": "29.0.0"
        },
        {
            "fixed": "29.0.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/nextcloud/server
Events
Introduced
656488893e2175e19fbe273d76a5e16a598000c7
Fixed
fd746c69f4e5122aebe3e136837473a60fccd3b3
Database specific 
{
    "versions": [
        {
            "introduced": "30.0.0"
        },
        {
            "fixed": "30.0.1"
        }
    ]
}

Affected versions

v28.*
v28.0.0
v28.0.1
v28.0.10
v28.0.10rc1
v28.0.11rc1
v28.0.1rc1
v28.0.2
v28.0.2rc1
v28.0.2rc2
v28.0.2rc3
v28.0.2rc4
v28.0.2rc5
v28.0.3
v28.0.3rc1
v28.0.3rc2
v28.0.4
v28.0.4rc1
v28.0.5
v28.0.5rc1
v28.0.6
v28.0.6rc1
v28.0.7
v28.0.7rc1
v28.0.7rc2
v28.0.7rc3
v28.0.7rc4
v28.0.8
v28.0.8rc1
v28.0.9
v28.0.9rc1
v29.*
v29.0.0
v29.0.1
v29.0.1rc1
v29.0.2
v29.0.2rc1
v29.0.2rc2
v29.0.3
v29.0.3rc1
v29.0.3rc2
v29.0.3rc3
v29.0.3rc4
v29.0.4
v29.0.4rc1
v29.0.5
v29.0.5rc1
v29.0.6
v29.0.6rc1
v29.0.7
v29.0.7rc1
v29.0.8rc1
v30.*
v30.0.0
v30.0.1rc1
v30.0.1rc2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52517.json"