Bug 1449185 (CVE-2017-0890, CVE-2017-0891, CVE-2017-0892, CVE-2017-0893, CVE-2017-0894, CVE-2017-0895)

Summary: CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: daniell1, james.hogarth, sheldon.corey
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud 11.0.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:12:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1449186, 1449187, 1451237, 1451238    
Bug Blocks:    

Description Andrej Nemec 2017-05-09 11:46:38 UTC 
Multiple vulnerabilities were found in nextcloud server.

CVE-2017-0890 - Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

https://nextcloud.com/security/advisory/?id=nc-sa-2017-007

CVE-2017-0891 - Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components.

https://nextcloud.com/security/advisory/?id=nc-sa-2017-008

CVE-2017-0892 - Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file.

https://nextcloud.com/security/advisory/?id=nc-sa-2017-009

CVE-2017-0893 - Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vulnerable JavaScript library for sanitizing untrusted user-input which suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2. Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.

https://nextcloud.com/security/advisory/?id=nc-sa-2017-010

CVE-2017-0894 - Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.

https://nextcloud.com/security/advisory/?id=nc-sa-2017-011

CVE-2017-0895 - Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and addressbook has been disclosed.

https://nextcloud.com/security/advisory/?id=nc-sa-2017-012
Comment 1 Andrej Nemec 2017-05-09 11:47:18 UTC 
Created nextcloud tracking bugs for this issue:

Affects: epel-7 [bug 1449187]
Affects: fedora-all [bug 1449186]
Comment 2 Andrej Nemec 2017-05-16 08:17:06 UTC 
Created owncloud tracking bugs for this issue:

Affects: epel-7 [bug 1451237]
Affects: fedora-all [bug 1451238]
Comment 3 Andrej Nemec 2017-05-16 08:17:50 UTC 
References:

http://seclists.org/fulldisclosure/2017/May/56
Comment 4 Product Security DevOps Team 2019-06-08 03:12:06 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.