Storage

In MinIO versions starting in RELEASE.2024-06-06T09-36-42Z and prior to
RELEASE.2025-02-28T09-55-16Z a medium severity vulnerability CVE-2025-27414 was detected. This vulnerability allows attackers to bypass authentication and gain unauthorized data access by exploiting a bug in evaluating the trust of the SSH key used in an SFTP connection. To address this issue, users should upgrade MinIO to version RELEASE.2025-02-28T09-55-16Z. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27414.

In Nextcloud Server and Enterprise Server versions from 22.0.0 to 24.0.6 a medium severity vulnerability was detected. This vulnerability allows shared items to remain accessible to users after they are removed from a group, even when the server is configured to restrict sharing within groups. To address this issue, users should upgrade to Nextcloud Server versions 22.2.11, 23.0.11, or 24.0.6, and Nextcloud Enterprise Server versions 22.2.11, 23.0.11, or 24.0.6. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52516.

In Nextcloud Server and Enterprise Server versions from 25.0.0 to 30.0.1 a medium severity vulnerability CVE-2024-52517 was detected. This vulnerability allows attackers with access to an active user session to read global credentials in plain text. To address this issue, users should upgrade to Nextcloud Server versions 28.0.11, 29.0.8, or 30.0.1 and Nextcloud Enterprise Server versions 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8, or 30.0.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-52517.

In MinIO versions from RELEASE.2022-06-25T15-50-16Z to RELEASE.2024-12-13T22-19-12Z a critical severity vulnerability CVE-2024-55949 was found. This vulnerability allows attackers to gain higher privileges. To address this issue, users are advised to upgrade to MinIO version RELEASE.2024-12-13T22-19-12Z or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-55949.

In Nextcloud Desktop Client versions 3.13.1 through 3.13.3 on Linux a critical severity vulnerability CVE-2024-46958 was detected. This vulnerability allows synchronized files between the server and client to become world writable or world readable. To address this issue, updating to version 3.13.4 is recommended. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-46958.

In Nextcloud Server versions 25.0.0 to 25.0.6 and 26.0.0 to 26.0.1 a low severity vulnerability CVE-2024-37314 was detected in the Nextcloud Photos app. This vulnerability allows users to remove photos from the albums of registered users. To address this issue, it is recommended to upgrade to Nextcloud Server version 25.0.7 or 26.0.2 and Nextcloud Enterprise Server version 25.0.7 or 26.0.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37314.

In Nextcloud Server versions 27.1.9 and earlier a low severity vulnerability CVE-2024-37887 was detected. This vulnerability allows attackers to read private shared calendar events’ recurrence exceptions. To address this issue, it is recommended to upgrade to Nextcloud Server version 27.1.10, 28.0.6, or 29.0.1, and Nextcloud Enterprise Server to version 27.1.10, 28.0.6, or 29.0.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37887.

In Nextcloud Server versions prior to 26.0.12, 27.1.7 and 28.0.3 a medium severity vulnerability CVE-2024-37884 was detected. This vulnerability allows malicious users to delete old versions of files they only have read permissions for. To address this issue, it is recommended to upgrade Nextcloud Server to version 26.0.12, 27.1.7, or 28.0.3, and Nextcloud Enterprise Server to the same versions. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37884.

In Nextcloud Server versions prior to 26.0.12, 27.1.7 and 28.0.3 a medium severity vulnerability CVE-2024-37315 was detected. This vulnerability allows attackers with read-only access to restore older versions of a document if the files_versions app is enabled. To address this issue, it is recommended to upgrade to Nextcloud Server version to 26.0.12, 27.1.7 or 28.0.3 and the Nextcloud Enterprise Server versions to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3 For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37315.