Bug 2231145 (CVE-2023-39952, CVE-2023-39953, CVE-2023-39954, CVE-2023-39955, CVE-2023-39958, CVE-2023-39959)
Summary: | CVE-2023-39952 CVE-2023-39953 CVE-2023-39954 CVE-2023-39955 CVE-2023-39959 CVE-2023-39958 nextcloud: Multiple vulnerabilities | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | CLOSED UPSTREAM | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-08-10 23:02:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2231146, 2231147 | ||
Bug Blocks: |
Description
Pedro Sampaio
2023-08-10 17:54:55 UTC
Created nextcloud tracking bugs for this issue: Affects: epel-8 [bug 2231147] Affects: fedora-all [bug 2231146] This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. CVE-2023-39959 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. https://hackerone.com/reports/1832126 https://github.com/nextcloud/server/pull/38747 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g97r-8ffm-hfpj CVE-2023-39958 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. https://github.com/nextcloud/server/pull/38773 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h https://hackerone.com/reports/1258448 |