Nextcloud Groupfolders Quota Bypass Vulnerability

A vulnerability in Nextcloud Server, Nextcloud Enterprise Server, and the Nextcloud Groupfolders app allows logged-in users to upload files that exceed the designated group folder quota. This issue arises from a lack of proper quota enforcement on attachments, enabling users to bypass storage limits. The vulnerability is present in Nextcloud Server versions 30.0.0 prior to 30.0.2, 29.0.0 prior to 29.0.9, and 28.0.0 prior to 28.0.1, as well as in Nextcloud Enterprise Server versions 30.0.0 prior to 30.0.2, and 29.0.0 prior to 29.0.9. Additionally, the vulnerability affects Nextcloud Groupfolders app versions 18.0.0 through 18.0.2, 17.0.0 through 17.0.4, and 16.0.0 through 16.0.10.

Impact

Exploitation of this vulnerability allows users to upload files that exceed the group folder quota, potentially leading to excessive storage use and associated costs.

Reproduction

To reproduce this vulnerability, log into a Nextcloud instance with the Groupfolders app enabled. Navigate to a group folder that has a quota limit set. Upload a file through an attachment that exceeds the allowed quota for that folder. The file will be accepted, bypassing the quota restriction.

Remediation

Users are advised to update Nextcloud Server to version 30.0.2 or 29.0.9, Nextcloud Enterprise Server to version 30.0.2, 29.0.9 or 28.0.12, and the Nextcloud Groupfolders app to version 18.0.3, 17.0.5 or 16.0.11.