A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user. External References: https://nextcloud.com/security/advisory/?id=nc-sa-2018-001 References: https://hackerone.com/reports/297751
Created nextcloud tracking bugs for this issue: Affects: fedora-all [bug 1561972] Affects: epel-all [bug 1561973]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.