CVE-2024-22404 is a medium-severity vulnerability affecting the Nextcloud Files ZIP app, which is used to create ZIP archives of files and folders within Nextcloud. The vulnerability arises from improper preservation of permissions (CWE-281) when users attempt to download files marked as "view-only" by zipping an entire folder. Specifically, in affected versions (>=1.2.0 and <1.2.1, and >=1.3.0 and <1.4.1), users with limited permissions can bypass intended access controls by creating ZIP archives that include files they should only be able to view but not download. This results in unauthorized data disclosure, as the ZIP archive allows downloading of files that should have restricted access. The vulnerability requires the attacker to have at least limited privileges (PR:L) and some user interaction (UI:R), such as initiating the ZIP operation. The CVSS 3.1 base score is 4.1, reflecting a medium severity with a network attack vector, low attack complexity, and partial confidentiality impact without affecting integrity or availability. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially authorized scope. No known exploits are reported in the wild yet. The recommended mitigation is to upgrade the Files ZIP app to versions 1.2.1, 1.4.1, or 1.5.0 where the issue is fixed. If upgrading is not feasible, disabling the Files ZIP app is advised to prevent exploitation. This vulnerability highlights the importance of correctly enforcing permission checks in file management operations, especially in collaborative cloud environments like Nextcloud where fine-grained access control is critical.

For European organizations using Nextcloud as a file sharing and collaboration platform, this vulnerability could lead to unauthorized disclosure of sensitive or confidential files. Since the flaw allows users with limited permissions to download files they should only view, it undermines data confidentiality and trust in access controls. This can be particularly damaging for sectors with strict data protection requirements such as finance, healthcare, legal, and government institutions across Europe. The breach of confidentiality could result in regulatory non-compliance with GDPR, potential data leaks, and reputational damage. Although the vulnerability does not affect data integrity or availability, the unauthorized data access risk is significant in environments where sensitive personal or business data is stored. The medium CVSS score suggests moderate risk, but the impact could be higher depending on the sensitivity of the data exposed. Organizations relying heavily on Nextcloud for secure collaboration must prioritize patching or disabling the vulnerable app to maintain compliance and protect sensitive information.

1. Immediate upgrade of the Nextcloud Files ZIP app to versions 1.2.1, 1.4.1, or 1.5.0 where the vulnerability is patched. 2. If upgrading is not immediately possible, disable the Files ZIP app entirely to prevent exploitation. 3. Review and audit user permissions within Nextcloud to ensure that only necessary users have access to sensitive files and folders. 4. Implement monitoring and alerting for unusual file download or archiving activities that could indicate exploitation attempts. 5. Educate users about the risks of using file archiving features and encourage reporting of suspicious behavior. 6. Regularly update Nextcloud and all associated apps to the latest versions to benefit from security fixes. 7. Consider deploying additional data loss prevention (DLP) controls and encryption for sensitive files stored in Nextcloud to mitigate potential data exposure. 8. Conduct periodic security assessments and penetration testing focused on access control enforcement in Nextcloud environments.