Bug 2292820 (CVE-2024-37312, CVE-2024-37313, CVE-2024-37314)

Summary: CVE-2024-37312 CVE-2024-37313 CVE-2024-37314 nextcloud: multiple vulnerabilities
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2292822, 2292821, 2292823, 2292824, 2292825, 2292826    
Bug Blocks:    

Description Patrick Del Bello 2024-06-18 03:25:07 UTC 
Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.

https://github.com/nextcloud/photos/pull/1749
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43
https://hackerone.com/reports/1946298

Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c
https://github.com/nextcloud/server/pull/44276
https://hackerone.com/reports/2419776

user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q
https://github.com/nextcloud/user_oidc/commit/9f68a716ecd264160a7c098b8840313f1ac855f2
https://hackerone.com/reports/2376929
Comment 1 Patrick Del Bello 2024-06-18 03:27:31 UTC 
Created nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2292826]


Created nextcloud-client tracking bugs for this issue:

Affects: epel-all [bug 2292822]
Affects: fedora-all [bug 2292821]


Created nextcloud:23/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2292823]


Created nextcloud:24/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2292824]


Created nextcloud:nextcloud-22/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2292825]