Bug 2184425 (CVE-2023-28848, CVE-2023-28997, CVE-2023-28998, CVE-2023-29000)

Summary: CVE-2023-29000 CVE-2023-28848 CVE-2023-28998 CVE-2023-28997 nextcloud: Multiple vulnerabilities
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-04 19:52:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2184426, 2184428    
Bug Blocks:    

Description Pedro Sampaio 2023-04-04 16:14:52 UTC 
CVE-2023-29000
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available.

https://github.com/nextcloud/desktop/pull/4949
https://hackerone.com/reports/1679267
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h82x-98q3-7534

CVE-2023-28848
user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available.

https://github.com/nextcloud/user_oidc/pull/580
https://hackerone.com/reports/1878381
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-52hv-xw32-wf7f

CVE-2023-28998
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files.? Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.

https://github.com/nextcloud/desktop/pull/5323
https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jh3g-wpwv-cqgr

CVE-2023-28997
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.

https://github.com/nextcloud/desktop/pull/5324
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4p33-rw27-j5fc
https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf
Comment 1 Pedro Sampaio 2023-04-04 16:15:11 UTC 
Created nextcloud tracking bugs for this issue:

Affects: epel-8 [bug 2184428]
Affects: fedora-all [bug 2184426]
Comment 2 Product Security DevOps Team 2023-04-04 19:52:50 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.