Bug 2231145 (CVE-2023-39952, CVE-2023-39953, CVE-2023-39954, CVE-2023-39955, CVE-2023-39958, CVE-2023-39959)

Summary: CVE-2023-39952 CVE-2023-39953 CVE-2023-39954 CVE-2023-39955 CVE-2023-39959 CVE-2023-39958 nextcloud: Multiple vulnerabilities
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-10 23:02:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2231146, 2231147    
Bug Blocks:    

Description Pedro Sampaio 2023-08-10 17:54:55 UTC 
CVE(s):
CVE-2023-39952

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch for this issue. No known workarounds are available.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-cq8w-v4fh-4rjq
https://hackerone.com/reports/1808079
https://github.com/nextcloud/server/pull/38890
https://github.com/nextcloud/groupfolders/issues/1906


CVE(s):
CVE-2023-39953
user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also have access to. user_oidc 1.3.3 contains a patch. No known workarounds are available.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xx3h-v363-q36j
https://github.com/nextcloud/user_oidc/pull/642
https://hackerone.com/reports/2021684

CVE(s):
CVE-2023-39954
user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. user_oidc 1.3.3 contains a patch. No known workarounds are available.

https://hackerone.com/reports/1994328
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f92-5c8p-f6gq
https://github.com/nextcloud/user_oidc/pull/636

CVE(s):
CVE-2023-39955
Notes is a note-taking app for Nextcloud, an open-source cloud platform. Starting in version 4.4.0 and prior to version 4.8.0, when creating a note file with HTML, the content is rendered in the preview instead of the file being offered to download. Nextcloud Notes app version 4.8.0 contains a patch for the issue. No known workarounds are available.

https://hackerone.com/reports/1924355
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6g88-37x7-4vw6
https://github.com/nextcloud/notes/pull/1031
Comment 1 Pedro Sampaio 2023-08-10 17:55:15 UTC 
Created nextcloud tracking bugs for this issue:

Affects: epel-8 [bug 2231147]
Affects: fedora-all [bug 2231146]
Comment 2 Product Security DevOps Team 2023-08-10 23:02:12 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Pedro Sampaio 2023-08-11 12:21:02 UTC 
CVE-2023-39959
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

https://hackerone.com/reports/1832126
https://github.com/nextcloud/server/pull/38747
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g97r-8ffm-hfpj

CVE-2023-39958
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

https://github.com/nextcloud/server/pull/38773
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h
https://hackerone.com/reports/1258448