Skip to main content

CVE-2024-22404: CWE-281: Improper Preservation of Permissions in nextcloud security-advisories

Medium
VulnerabilityCVE-2024-22404cvecve-2024-22404cwe-281
Published: Thu Jan 18 2024 (01/18/2024, 20:14:27 UTC)
Source: CVE Database V5
Vendor/Project: nextcloud
Product: security-advisories

Description

Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app.

AI-Powered Analysis

AILast updated: 07/03/2025, 16:09:46 UTC

Technical Analysis

CVE-2024-22404 is a medium-severity vulnerability affecting the Nextcloud Files ZIP app, which is used to create ZIP archives of files and folders within Nextcloud. The vulnerability arises from improper preservation of permissions (CWE-281) when users attempt to download files marked as "view-only" by zipping an entire folder. Specifically, in affected versions (>=1.2.0 and <1.2.1, and >=1.3.0 and <1.4.1), users with limited permissions can bypass intended access controls by creating ZIP archives that include files they should only be able to view but not download. This results in unauthorized data disclosure, as the ZIP archive allows downloading of files that should have restricted access. The vulnerability requires the attacker to have at least limited privileges (PR:L) and some user interaction (UI:R), such as initiating the ZIP operation. The CVSS 3.1 base score is 4.1, reflecting a medium severity with a network attack vector, low attack complexity, and partial confidentiality impact without affecting integrity or availability. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially authorized scope. No known exploits are reported in the wild yet. The recommended mitigation is to upgrade the Files ZIP app to versions 1.2.1, 1.4.1, or 1.5.0 where the issue is fixed. If upgrading is not feasible, disabling the Files ZIP app is advised to prevent exploitation. This vulnerability highlights the importance of correctly enforcing permission checks in file management operations, especially in collaborative cloud environments like Nextcloud where fine-grained access control is critical.

Potential Impact

For European organizations using Nextcloud as a file sharing and collaboration platform, this vulnerability could lead to unauthorized disclosure of sensitive or confidential files. Since the flaw allows users with limited permissions to download files they should only view, it undermines data confidentiality and trust in access controls. This can be particularly damaging for sectors with strict data protection requirements such as finance, healthcare, legal, and government institutions across Europe. The breach of confidentiality could result in regulatory non-compliance with GDPR, potential data leaks, and reputational damage. Although the vulnerability does not affect data integrity or availability, the unauthorized data access risk is significant in environments where sensitive personal or business data is stored. The medium CVSS score suggests moderate risk, but the impact could be higher depending on the sensitivity of the data exposed. Organizations relying heavily on Nextcloud for secure collaboration must prioritize patching or disabling the vulnerable app to maintain compliance and protect sensitive information.

Mitigation Recommendations

1. Immediate upgrade of the Nextcloud Files ZIP app to versions 1.2.1, 1.4.1, or 1.5.0 where the vulnerability is patched. 2. If upgrading is not immediately possible, disable the Files ZIP app entirely to prevent exploitation. 3. Review and audit user permissions within Nextcloud to ensure that only necessary users have access to sensitive files and folders. 4. Implement monitoring and alerting for unusual file download or archiving activities that could indicate exploitation attempts. 5. Educate users about the risks of using file archiving features and encourage reporting of suspicious behavior. 6. Regularly update Nextcloud and all associated apps to the latest versions to benefit from security fixes. 7. Consider deploying additional data loss prevention (DLP) controls and encryption for sensitive files stored in Nextcloud to mitigate potential data exposure. 8. Conduct periodic security assessments and penetration testing focused on access control enforcement in Nextcloud environments.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2024-01-10T15:09:55.548Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683dbfa6182aa0cae2498342

Added to database: 6/2/2025, 3:13:42 PM

Last enriched: 7/3/2025, 4:09:46 PM

Last updated: 8/13/2025, 10:10:41 PM

Views: 18

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats