Nextcloud Server and Enterprise Server Contacts Search Information Disclosure Vulnerability

A vulnerability in Nextcloud Server versions prior to 31.0.10 and 32.0.1, as well as in Nextcloud Enterprise Server versions prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, allows authenticated users to access personal data of other users through the contacts search feature. This includes emails, names, and identifiers, without proper access control. The issue arises because the system address book is exposed in the response, even when the 'dav.system_addressbook_exposed' configuration is set to 'no'.

Impact

The vulnerability could lead to unauthorized access to personal contact information of other users.

Reproduction

To reproduce the vulnerability, log in as a user and search for contacts while the 'dav.system_addressbook_exposed' setting is disabled. The system address book should not be visible, but this vulnerability allows it to be accessed.

Remediation

Users are advised to update Nextcloud Server to version 31.0.10 or 32.0.1, and Nextcloud Enterprise Server to versions 28.0.14.11, 29.0.16.8, 30.0.17.3 or 31.0.10.