Bug 2183325 (CVE-2023-26482, CVE-2023-28643, CVE-2023-28644, CVE-2023-28646, CVE-2023-28833, CVE-2023-28835) - CVE-2023-28835 CVE-2023-28833 CVE-2023-28646 CVE-2023-26482 CVE-2023-28643 CVE-2023-28644 nextcloud: Multiple vulnerabilities
Summary: CVE-2023-28835 CVE-2023-28833 CVE-2023-28646 CVE-2023-26482 CVE-2023-28643 CV...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2023-26482, CVE-2023-28643, CVE-2023-28644, CVE-2023-28646, CVE-2023-28833, CVE-2023-28835
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2183326 2183327
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-30 21:02 UTC by Pedro Sampaio
Modified: 2023-03-31 00:52 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-31 00:52:58 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2023-03-30 21:02:30 UTC
Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade.

https://github.com/nextcloud/server/pull/36093
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9

Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access to overwrite these files by other means but this method could be exploited by tricking an admin into uploading a maliciously named file. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should avoid ingesting logo files from untrusted sources.

https://github.com/nextcloud/server/pull/36095
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ch7f-px7m-hg25

Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3rf-94h6-vj8v
https://github.com/nextcloud/android/pull/11242

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h3c9-cmh8-7qpj
https://github.com/nextcloud/server/commit/5a06b50b10cc9278bbe68bbf897a0c4aeb0c4e60

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user.

https://github.com/nextcloud/server/issues/34015
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhq4-4pr8-wm27
https://github.com/nextcloud/server/pull/36047

Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the Nextcloud Server is upgraded to 25.0.3. There are no known workarounds for this vulnerability.

https://github.com/nextcloud/server/pull/36016
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9wmj-gp8v-477j

Comment 1 Pedro Sampaio 2023-03-30 21:02:48 UTC
Created nextcloud tracking bugs for this issue:

Affects: epel-8 [bug 2183327]
Affects: fedora-all [bug 2183326]

Comment 2 Product Security DevOps Team 2023-03-31 00:52:56 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.