CVE-2024-52521

Nextcloud Server has a potential hash collision for background jobs could skip queuing them

CVSS 2.6 LOWEPSS 0.4%CWE-328

In short

Nextcloud Server used weak MD5 hashing to identify background jobs, which could cause duplicate jobs to be incorrectly skipped and never execute. Upgrading to a patched version fixes this by switching to stronger SHA256 hashing.

Technical detail

MD5 hash collisions in background job uniqueness checks (CWE-328: Weak Hash) allowed jobs with different arguments to be falsely identified as duplicates and excluded from execution queue. Switching to SHA256 significantly reduces collision probability and ensures proper job scheduling.

Summary generated and translated by AI from the official description.

Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommended that the Nextcloud Server is upgraded to 28.0.10, 29.0.7 or 30.0.0.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Affected products

nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2q6f-gjgj-7hp4 https://github.com/nextcloud/server/commit/a933ba1fdba77e7d8c6b8ff400e082cf853ea46d https://github.com/nextcloud/server/pull/47769