CVE-2023-39959 LOW

CVE-2023-39959: Existence of calendars and address books can be checked by unauthenticated users

Vendor Nextcloud

Product security-advisories

Weakness CWE-284

Published August 10, 2023

Last update October 8, 2024

View on NVD All CVEs

CVSS base score

3.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Key dates

02Disclosure timeline

August 10, 2023 CVE published

October 8, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-39959

Related vulnerabilities

Identifiers

CVE CVE-2023-39959

CWE CWE-284

CVSS 3.5 / LOW

Affected versions

Vendor Nextcloud

Product security-advisories

Affected >= 25.0.0, < 25.0.9

Vendor Nextcloud

Product security-advisories

Affected >= 26.0.0, < 26.0.4

Vendor Nextcloud

Product security-advisories

Affected >= 27.0.0, < 27.0.1

CVE-2023-39959: Existence of calendars and address books can be checked by unauthenticated users

01Description

02Disclosure timeline

03References

04Related CVE