#VU103052 Reversible One-Way Hash in Nextcloud Server and Nextcloud Enterprise Server - CVE-2024-52521

Cybersecurity Help s.r.o.

Published: 2025-01-20

Vulnerability identifier: #VU103052

Vulnerability risk: Low

CVSSv4.0: 0.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-52521

CWE-ID: CWE-328

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Nextcloud Server
Client/Desktop applications / Messaging software
Nextcloud Enterprise Server
Client/Desktop applications / Messaging software

Vendor: Nextcloud

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the MD5 hashes are used to check background jobs for their uniqueness. A remote user can cause potential hash collision for background jobs to skip queuing them.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Nextcloud Server: 28.0.0 - 29.0.6

Nextcloud Enterprise Server: 28.0.0 - 29.0.6

External links
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2q6f-gjgj-7hp4
https://github.com/nextcloud/server/pull/47769
https://github.com/nextcloud/server/commit/a933ba1fdba77e7d8c6b8ff400e082cf853ea46d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Reversible One-Way Hash in Nextcloud Server and Enterprise Server