Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 897918 (CVE-2023-25159, CVE-2023-25579, CVE-2023-25816, CVE-2023-25821) - <www-apps/nextcloud-{24.0.9,25.0.3}: multiple vulnerabilities
Summary: <www-apps/nextcloud-{24.0.9,25.0.3}: multiple vulnerabilities
Alias: CVE-2023-25159, CVE-2023-25579, CVE-2023-25816, CVE-2023-25821
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Depends on: 898472
  Show dependency tree
Reported: 2023-02-26 17:40 UTC by John Helmert III
Modified: 2023-03-11 04:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:40:47 UTC
CVE-2023-25821 (

Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available.

CVE-2023-25816 (

Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in 25.0.3 No workaround is available.

CVE-2023-25579 (

Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue.

Please stabilize 25.0.3.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 18:27:40 UTC
CVE-2023-25159 (

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocuments) App 6.x prior to 6.3.1 and 7.x prior to 7.0.1 have previews accessible without a watermark. The download should be hidden and the watermark should get applied. This issue is fixed in Nextcloud Server 25.0.1 and 24.0.8, Nextcloud Enterprise Server 25.0.1 and 24.0.8, and Nextcloud Office (Richdocuments) App 7.0.1 (for 25) and 6.3.1 (for 24). No known workarounds are available.
Comment 2 Bernard Cafarelli gentoo-dev 2023-02-28 17:14:23 UTC
We could also go with 24.0.9 (and cleanup 25.0 old versions), though now is a good time to switch stable to 25.x - and keep the 24.x branch in ~arch with latest point releases
Comment 3 Larry the Git Cow gentoo-dev 2023-02-28 23:34:57 UTC
The bug has been referenced in the following commit(s):

commit 077986fa8deafff639487a5cddaf318d06769168
Author:     Bernard Cafarelli <>
AuthorDate: 2023-02-28 23:34:17 +0000
Commit:     Bernard Cafarelli <>
CommitDate: 2023-02-28 23:34:22 +0000

    www-apps/nextcloud: drop 24.0.7, 24.0.8, 25.0.1, 25.0.2
    Keep latest 24.0.x and 25.0.x (unaffected by vulnerabilities)
    Signed-off-by: Bernard Cafarelli <>

 www-apps/nextcloud/Manifest                |  4 ---
 www-apps/nextcloud/nextcloud-24.0.7.ebuild | 43 ------------------------------
 www-apps/nextcloud/nextcloud-24.0.8.ebuild | 43 ------------------------------
 www-apps/nextcloud/nextcloud-25.0.1.ebuild | 43 ------------------------------
 www-apps/nextcloud/nextcloud-25.0.2.ebuild | 43 ------------------------------
 5 files changed, 176 deletions(-)