CVE-2022-36075 Nextcloud files access control app allows users with limited access to see file names.

if you are on an older version of Nextcloud Files Access Control, it is recommended that you upgrade as soon as possible. Additionally, you need to install the latest Nextcloud server app to get the latest version of Nextcloud Files Access Control. End users who have installed the Nextcloud Files Access Control app can upgrade their app to 1.14.1. Go to the app settings, click on ‘’Upgrade to 1.14.1’’ and then upgrade the app.

How to check if you are vulnerable?

Step 1: Using the Linux terminal, type in:

sudo ncdu -r

If you are vulnerable, the output will show your home directory. For example, /home/user. If not, the output will show 'No files found.'

Step 2: Using the Linux terminal, type in:

ls -l /home/user/.config/nextcloud | grep FilesAccessControl/ | grep -v "^# " | grep -v "^\.ko" | grep -v "^\.ko$"

How to install Nextcloud Files Access Control for the first time?

If you have not installed Nextcloud yet, go to our website https://nextcloud.com/download/ and download the nextcloud app.
After the installation, you need to set up an admin account that has read permissions for all files and folders in your homedirectory.
Next, open the settings of the NextCloud Files Access Control app and click on ‘’Allow access to your files’’. Set up a new user with read permissions for all your directories.
That's it! You are done installing Nextcloud Files Access Control for your own private space on your Nextcloud server.

FS-GROUP-FS-ACCESS -CONTROL-LIMITATIONS


If you are on an older version of Nextcloud Files Access Control, it is recommended that you upgrade as soon as possible. Additionally, you need to install the latest Nextcloud server app to get the latest version of Nextcloud Files Access Control. End users who have installed the Nextcloud Files Access Control app can upgrade their app to 1.14.1. Go to the app settings, click on ‘’Upgrade to 1.14.1’’ and then upgrade the app.

What’s new in Nextcloud Files Access Control 1.14.1?

- The ability to add a default location for newly created files
- The ability to change the list of allowed apps in the Settings app
- A new notification which will be shown when an access request is rejected

Nextcloud Files Access Control 1.14.1 Release Notes

This release fixes the following security issue: https://www.exploit-db.com/exploits/36759
Hashes of old versions of the Nextcloud Files Access Control app were published on exploit-db.com, which allowed an attacker to create fake profiles and use them to send out malicious links that could lead to arbitrary code execution in the Nextcloud instance.
The upgrade address this issue by requiring two factor authentication when creating a new Nextcloud account and by changing how URL hashes are calculated. Users who have already created a Nextcloud account with a vulnerable version will be notified when they log in to their account, so they can change their password before logging in again after updating their installation.
Note that this update will break compatibility with the Files Access Control iOS app for iPhones and iPads.

Timeline

Published on: 09/15/2022 22:15:00 UTC
Last modified on: 09/19/2022 19:16:00 UTC

References