Nextcloud Server and Enterprise Missing Access Check Vulnerability in Circles App Allowing Unauthorized Circle Memberships

A vulnerability exists in the Nextcloud Server and Nextcloud Enterprise Server within specific version ranges, related to the Circles app. The issue arises from a missing access check at the API level, which allows the addition of unknown circles by their ID to other circles. Although the complexity of circle IDs makes this vulnerability difficult to exploit intentionally, there is a possibility of tracking memberships if an ID is obtained from another source. Users are advised to upgrade to the latest versions to address this vulnerability.

Impact

Exploitation of this vulnerability could lead to unauthorized tracking of circle memberships by allowing private circles to be added to other circles via the API, bypassing visibility restrictions.

Remediation

Users of Nextcloud Server should upgrade to version 32.0.7 or 33.0.1. Nextcloud Enterprise Server users should upgrade to version 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1.