Shares are not removed when user is limited to share with in their groups and being removed from one of them
Package
Server
(Nextcloud)
Affected versions
>= 28.0.0, >= 29.0.0
Patched versions
28.0.9, 29.0.5
Server
(Nextcloud Enterprise)
>= 26.0.0, >= 27.0.0, >= 28.0.0, >= 29.0.0
26.0.13.9, 27.1.11.9, 28.0.9, 29.0.5
Impact
When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared.
Patches
It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6
Workarounds
References
For more information
If you have any questions or comments about this advisory: