Hi, I’m using Nextcloud happily for a few years now, currently installed on my NAS in a Docker container. I’m using the official image but slightly modified it by installing the samba client.
My Nextcloud is accessible from my own public domain.
Problem now is, that this morning somehow the caldav stopped working. I’ve now accessed the page and I was greeted with an warning that I must update my Apps… without login! I tried it in inkognito and same update message, no login! This means that currently ANYONE is able to press “Start update” and can agree that I have made a backup!
What is going on here??
I did nothing to the installation. The only thing I did in the recent days that might affected Nextcloud was restarting my NAS. The container has not been modified and was last recreated 1,5 months ago. I did not execute ANY commands related to Nextcloud or in the Nextcloud container.
And even if the site would require me to login before that message appears, I still find it pretty bad that Nextcloud is now forcing updates.
Can anyone explain how this could have happened?
Version: Nextcloud 25.0.3
My Dockerfile
FROM nextcloud:latest
RUN apt update
RUN apt install -y procps smbclient
RUN apt install -y libmagickcore-6.q16-6-extra
RUN rm -rf /var/lib/apt/lists/*```
this sounds like an upgrade process which was triggered somehow didn’t complete. In general there is no way to start an upgrade process anonymously. in docker this can happen if you use container management tools like Portainer which could have upgraded you container silently… There was similar discussion in the forum some time ago… Please use the search for details.
there are minor upgrades which often address security issues and at least the minority upgrade you should install very fast to keep your installation secure.
Thanks for your response.
I didn’t knew that Portainer is updating my image without me knowing it… that’s really bad. Especially because it must be an default option.
I know that I should make regular updates for security. Since this is my private setup I don’t always have time to take care of all my containers.
But the original question still remains, why is this publicly available then and not in some kind of maintenance mode? For testing, I pressed the update button in an inkognito browser window so I wasn’t logged in to 100%. The update started and went without problems. After the apps have been updated and some got disabled without any authentication, I was greeted with the login page.
That’s a much bigger security breach and should not happen.
I did not find anything about this in the web (also searched on this forum) so I guess this is still an unfixed bug.
I’m happy to discuss real security issues. unauthenticated data access, user impersonation: yes. pressing a button is not on the list… if you think there is security issue please describe why “a button to complete already started upgrade process (without access to user data)” is a security issue in your eyes?
Yes, of course it’s not the biggest security issue. There are way worse like you described. But the message on the page clearly was for an admin, not for a random person discovering the page.
This button “only” updates these plugins. But remember that you (at least by default) have to re-enter your admin password when you’re logged in order to update plugins from the plugin store.
