Bug 2132891 (CVE-2022-39211) - CVE-2022-39211 nextcloud-server: Server-Side Request Forgery (SSRF) via potential filter bypass with too lax local domain checking
Summary: CVE-2022-39211 nextcloud-server: Server-Side Request Forgery (SSRF) via poten...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2022-39211
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2132893 2132894 2132895 2132896 2132897 2132899 2132901 2132903 2132905 2132907 2132909 2132911
Blocks: 2128470
TreeView+ depends on / blocked
 
Reported: 2022-10-07 07:15 UTC by TEJ RATHI
Modified: 2022-11-29 14:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-29 14:14:26 UTC


Attachments (Terms of Use)

Description TEJ RATHI 2022-10-07 07:15:09 UTC
Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There are no known workarounds for this issue.

https://github.com/nextcloud/server/pull/32988
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-rmf9-w497-8cq8
https://github.com/nextcloud/server/pull/33031

Comment 1 TEJ RATHI 2022-10-07 07:20:34 UTC
Created nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2132893]


Created nextcloud:23/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2132894]
Affects: fedora-all [bug 2132897]


Created nextcloud:24/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2132895]
Affects: fedora-all [bug 2132899]


Created nextcloud:nextcloud-18/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2132901]


Created nextcloud:nextcloud-19/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2132903]


Created nextcloud:nextcloud-20/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2132905]


Created nextcloud:nextcloud-21/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2132907]


Created nextcloud:nextcloud-22/nextcloud tracking bugs for this issue:

Affects: epel-all [bug 2132896]
Affects: fedora-all [bug 2132909]


Created nextcloud:nextcloud-stable/nextcloud tracking bugs for this issue:

Affects: fedora-all [bug 2132911]

Comment 2 Product Security DevOps Team 2022-11-29 14:14:24 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.