Vulnerabilites related to nextcloud - zipper
CVE-2024-22404 (GCVE-0-2024-22404)
Vulnerability from cvelistv5
Published
2024-01-18 20:14
Modified
2025-06-02 15:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-281 - Improper Preservation of Permissions
Summary
Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextcloud | security-advisories |
Version: >= 1.2.0, < 1.2.1 Version: >= 1.3.0, < 1.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vhj3-mch4-67fq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vhj3-mch4-67fq"
},
{
"name": "https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820"
},
{
"name": "https://hackerone.com/reports/2247457",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/2247457"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T19:09:22.953426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:03:33.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.1"
},
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download \"view-only\" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-18T20:14:27.914Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vhj3-mch4-67fq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vhj3-mch4-67fq"
},
{
"name": "https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820"
},
{
"name": "https://hackerone.com/reports/2247457",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2247457"
}
],
"source": {
"advisory": "GHSA-vhj3-mch4-67fq",
"discovery": "UNKNOWN"
},
"title": "Permissions bypass in Nextcloud with the files zip app"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-22404",
"datePublished": "2024-01-18T20:14:27.914Z",
"dateReserved": "2024-01-10T15:09:55.548Z",
"dateUpdated": "2025-06-02T15:03:33.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-01-18 21:15
Modified
2024-11-21 08:56
Severity ?
4.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:zipper:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CACAF88-8B0B-4909-B633-02EE818C3F8C",
"versionEndExcluding": "1.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextcloud:zipper:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AEFDD9DF-54EB-47B4-A70D-D3910C77F2B0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download \"view-only\" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n Nextcloud files Zip es una herramienta para crear archivos zip a partir de uno o varios archivos desde Nextcloud. En las versiones afectadas, los usuarios pueden descargar archivos de \"s\u00f3lo lectura\" comprimiendo la carpeta completa. Se recomienda actualizar la aplicaci\u00f3n Archivos ZIP a 1.2.1, 1.4.1 o 1.5.0. Los usuarios que no puedan actualizar deben desactivar la aplicaci\u00f3n de archivos zip."
}
],
"id": "CVE-2024-22404",
"lastModified": "2024-11-21T08:56:12.947",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-18T21:15:08.830",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vhj3-mch4-67fq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/2247457"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vhj3-mch4-67fq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/2247457"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-281"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}