CVE-2023-39962
📋 TL;DR
This vulnerability in Nextcloud Server allows a malicious authenticated user to delete any personal or global external storage configuration, making those storage locations inaccessible to all users. It affects Nextcloud Server versions 19.0.0 through 27.0.0 (excluding patched versions). The issue stems from improper access control in the files_external app.
💻 Affected Systems
- Nextcloud Server
- Nextcloud Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete all external storage configurations, causing complete loss of access to external data sources and disrupting business operations that depend on these storage connections.
Likely Case
A malicious insider or compromised account deletes specific external storage configurations, causing targeted disruption to affected users or departments.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary disruption until configurations can be restored from backups.
🎯 Exploit Status
Exploitation requires authenticated user access. The vulnerability is in access control logic, making exploitation straightforward for authenticated attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Nextcloud Server: 25.0.9, 26.0.4, 27.0.1; Nextcloud Enterprise Server: 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, 27.0.1
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
Restart Required: No
Instructions:
1. Backup your Nextcloud instance. 2. Update to the patched version for your release branch. 3. Verify the update completed successfully. 4. Test external storage functionality.
🔧 Temporary Workarounds
Disable files_external app
linuxTemporarily disable the vulnerable files_external app to prevent exploitation while retaining storage configurations.
occ app:disable files_external
🧯 If You Can't Patch
- Implement strict access controls and monitor for suspicious deletion of external storage configurations.
- Regularly backup external storage configurations and maintain an incident response plan for restoration.
🔍 How to Verify
Check if Vulnerable:
Check your Nextcloud version and compare against affected versions. If using 19.0.0-27.0.0 and not on patched versions, you are vulnerable.Check Version:
occ status | grep 'versionstring'Verify Fix Applied:
After updating, verify your version matches one of the patched versions listed in the advisory.📡 Detection & Monitoring
Log Indicators:
- Unexpected deletion of external storage configurations in Nextcloud logs
- Multiple storage deletion events from single user account
Network Indicators:
- Increased API calls to external storage management endpoints
SIEM Query:
source="nextcloud.log" AND "external storage" AND (delete OR remove)🔗 References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
- https://github.com/nextcloud/server/pull/39323
- https://hackerone.com/reports/2047168
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
- https://github.com/nextcloud/server/pull/39323
- https://hackerone.com/reports/2047168
