Bug 2115694 (CVE-2022-31120)

Summary: CVE-2022-31120 nextcloud-server: federated share accepting/declining is not logged in audit log
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ce, ichavero, james.hogarth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud-server 22.2.7, nextcloud-server 23.0.4, nextcloud-server 24.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-31 21:55:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2115695, 2115696, 2115697, 2115698, 2115699, 2115700, 2115701, 2115702, 2115703, 2115704, 2115705, 2115707, 2115709    
Bug Blocks: 2115633    

Description TEJ RATHI 2022-08-05 07:14:39 UTC 
Nextcloud server is an open source personal cloud solution. The audit log is used to get a full trail of the actions which has been incompletely populated. In affected versions federated share events were not properly logged which would allow brute force attacks to go unnoticed. This behavior exacerbates the impact of CVE-2022-31118. It is recommended that the Nextcloud Server is upgraded to 22.2.7, 23.0.4 or 24.0.0. There are no workarounds available.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9qvg-7fwg-722x
https://github.com/nextcloud/server/pull/31594/commits/1d8bf9a89c6856218802a1d365000a5831be8655
https://portal.nextcloud.com/article/using-the-audit-log-44.html
Comment 1 TEJ RATHI 2022-08-05 07:19:51 UTC 
Created nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2115695]


Created nextcloud:nextcloud-18/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115696]
Affects: fedora-all [bug 2115702]


Created nextcloud:nextcloud-19/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115697]
Affects: fedora-all [bug 2115703]


Created nextcloud:nextcloud-20/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115698]
Affects: fedora-all [bug 2115704]


Created nextcloud:nextcloud-21/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115699]
Affects: fedora-all [bug 2115705]


Created nextcloud:nextcloud-22/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115700]
Affects: fedora-all [bug 2115707]


Created nextcloud:nextcloud-stable/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2115701]
Affects: fedora-all [bug 2115709]
Comment 2 Product Security DevOps Team 2022-08-31 21:55:48 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.