Vulnerability-Lookup

CVE-2024-52508 (GCVE-0-2024-52508)

Vulnerability from cvelistv5 – Published: 2024-11-15 17:34 – Updated: 2024-11-15 18:17

Title

Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers

Summary

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nextcloud/security-advisories/…	x_refsource_CONFIRM
	https://github.com/nextcloud/mail/pull/9964	x_refsource_MISC
	https://github.com/nextcloud/mail/commit/a84c70e1…	x_refsource_MISC
	https://hackerone.com/reports/2508422	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nextcloud	security-advisories	Affected: >= 1.9.0, < 1.14.6 Affected: >= 2.1.0, < 2.2.11 Affected: >= 3.1.0, < 3.6.3 Affected: >= 1.15.0, < 1.15.4 Affected: >= 3.7.0, < 3.7.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:nextcloud:nextcloud_mail:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "nextcloud_mail",
            "vendor": "nextcloud",
            "versions": [
              {
                "lessThan": "1.14.6",
                "status": "affected",
                "version": "1.9.0",
                "versionType": "custom"
              },
              {
                "lessThan": "2.2.11",
                "status": "affected",
                "version": "2.1.0",
                "versionType": "custom"
              },
              {
                "lessThan": "3.6.3",
                "status": "affected",
                "version": "3.1.0",
                "versionType": "custom"
              },
              {
                "lessThan": "15.4.0",
                "status": "affected",
                "version": "1.15.0",
                "versionType": "custom"
              },
              {
                "lessThan": "3.7.7",
                "status": "affected",
                "version": "3.7.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52508",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-15T18:12:55.485493Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-15T18:17:04.830Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "security-advisories",
          "vendor": "nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.9.0, \u003c 1.14.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.1.0, \u003c 2.2.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.6.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.15.0, \u003c 1.15.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.7.0, \u003c 3.7.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-15T17:34:21.900Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc"
        },
        {
          "name": "https://github.com/nextcloud/mail/pull/9964",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/mail/pull/9964"
        },
        {
          "name": "https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b"
        },
        {
          "name": "https://hackerone.com/reports/2508422",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/2508422"
        }
      ],
      "source": {
        "advisory": "GHSA-vmhx-hwph-q6mc",
        "discovery": "UNKNOWN"
      },
      "title": "Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-52508",
    "datePublished": "2024-11-15T17:34:21.900Z",
    "dateReserved": "2024-11-11T18:49:23.558Z",
    "dateUpdated": "2024-11-15T18:17:04.830Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52508\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-15T18:12:55.485493Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:nextcloud:nextcloud_mail:*:*:*:*:*:*:*:*\"], \"vendor\": \"nextcloud\", \"product\": \"nextcloud_mail\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.9.0\", \"lessThan\": \"1.14.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.1.0\", \"lessThan\": \"2.2.11\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.1.0\", \"lessThan\": \"3.6.3\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.15.0\", \"lessThan\": \"15.4.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.7.0\", \"lessThan\": \"3.7.7\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-15T18:16:54.895Z\"}}], \"cna\": {\"title\": \"Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers\", \"source\": {\"advisory\": \"GHSA-vmhx-hwph-q6mc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"nextcloud\", \"product\": \"security-advisories\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.9.0, \u003c 1.14.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.1.0, \u003c 2.2.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.1.0, \u003c 3.6.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.15.0, \u003c 1.15.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.7.0, \u003c 3.7.7\"}]}], \"references\": [{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc\", \"name\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nextcloud/mail/pull/9964\", \"name\": \"https://github.com/nextcloud/mail/pull/9964\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b\", \"name\": \"https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://hackerone.com/reports/2508422\", \"name\": \"https://hackerone.com/reports/2508422\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-15T17:34:21.900Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-52508\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-15T18:17:04.830Z\", \"dateReserved\": \"2024-11-11T18:49:23.558Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-15T17:34:21.900Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CVE-2024-52508

Vulnerability from fstec - Published: 15.11.2024

Title

Уязвимость клиента электронной почты Nextcloud mail, связанная с раскрытием конфиденциальной информации неавторизованному лицу, позволяющая нарушителю раскрыть защищаемую информацию

Description

Уязвимость клиента электронной почты Nextcloud mail связана с некорректной автоматической настройкой. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, раскрыть защищаемую информацию

Severity ?


                    
                      AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

Vendor

ООО «Ред Софт», Nextcloud GmbH

Software Name

РЕД ОС (запись в едином реестре российских программ №3751), Nextcloud mail

Software Version

7.3 (РЕД ОС), от 1.9.0 до 1.15.4 (Nextcloud mail), от 2.1.0 до 2.2.11 (Nextcloud mail), от 3.1.0 до 3.7.7 (Nextcloud mail)

Possible Mitigations

Использование рекомендаций: Для Nextcloud mail: https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b_x0001_ https://github.com/nextcloud/mail/pull/9964_x0001_ https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc Для РедоС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

Reference

https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b_x0001_ https://github.com/nextcloud/mail/pull/9964_x0001_ https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

CWE

CWE-200

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:C/A:P",
  "CVSS 3.0": "AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Nextcloud GmbH",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u043e\u0442 1.9.0 \u0434\u043e 1.15.4 (Nextcloud mail), \u043e\u0442 2.1.0 \u0434\u043e 2.2.11 (Nextcloud mail), \u043e\u0442 3.1.0 \u0434\u043e 3.7.7 (Nextcloud mail)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Nextcloud mail:\nhttps://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b_x0001_\nhttps://github.com/nextcloud/mail/pull/9964_x0001_\nhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u043e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "15.11.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "06.12.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "06.12.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-10855",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-52508",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Nextcloud mail",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043b\u0438\u0435\u043d\u0442\u0430 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043f\u043e\u0447\u0442\u044b Nextcloud mail, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435\u043c \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u043b\u0438\u0446\u0443, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 (CWE-200)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043b\u0438\u0435\u043d\u0442\u0430 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043f\u043e\u0447\u0442\u044b Nextcloud mail \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e\u0439 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u043e\u0439. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0431\u043e\u0440 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b_x0001_\nhttps://github.com/nextcloud/mail/pull/9964_x0001_\nhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-200",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,3)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,2)"
}

FKIE_CVE-2024-52508

Vulnerability from fkie_nvd - Published: 2024-11-15 18:15 - Updated: 2025-10-01 18:10

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b	Patch
security-advisories@github.com	https://github.com/nextcloud/mail/pull/9964	Issue Tracking
security-advisories@github.com	https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc	Vendor Advisory
security-advisories@github.com	https://hackerone.com/reports/2508422	Issue Tracking

Impacted products

Vendor	Product	Version
nextcloud	mail	*
nextcloud	mail	*
nextcloud	mail	*
nextcloud	mail	*
nextcloud	mail	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*",
              "matchCriteriaId": "000DD4A3-3CD5-44A5-B985-D183855F8A03",
              "versionEndExcluding": "1.14.6",
              "versionStartIncluding": "1.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*",
              "matchCriteriaId": "159CA04A-9A62-4760-BB69-2421189F43CE",
              "versionEndExcluding": "1.15.4",
              "versionStartIncluding": "1.15.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*",
              "matchCriteriaId": "E97F675D-D1A7-4BC3-9FF3-1DC3E489267B",
              "versionEndExcluding": "2.2.11",
              "versionStartIncluding": "2.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*",
              "matchCriteriaId": "253BAAFD-A6BC-42B1-9401-AA97CC399F5F",
              "versionEndExcluding": "3.6.3",
              "versionStartIncluding": "3.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*",
              "matchCriteriaId": "2A0AE244-9763-46DA-8DBF-2BA84F8D29BE",
              "versionEndExcluding": "3.7.7",
              "versionStartIncluding": "3.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0."
    },
    {
      "lang": "es",
      "value": "Nextcloud Mail es la aplicaci\u00f3n de correo de Nextcloud, una plataforma de productividad alojada en servidores propios. Cuando un usuario intenta configurar una cuenta de correo con una direcci\u00f3n de correo electr\u00f3nico como user@example.tld que no admite la configuraci\u00f3n autom\u00e1tica, y un atacante logra registrar autoconfig.tld, los detalles de correo electr\u00f3nico utilizados se env\u00edan al servidor del atacante. Se recomienda que la aplicaci\u00f3n Nextcloud Mail se actualice a 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 o 4.0.0."
    }
  ],
  "id": "CVE-2024-52508",
  "lastModified": "2025-10-01T18:10:01.593",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-11-15T18:15:29.060",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/nextcloud/mail/pull/9964"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://hackerone.com/reports/2508422"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-52508 (GCVE-0-2024-52508)

CVE-2024-52508

FKIE_CVE-2024-52508

Tags

Sightings

Nomenclature