Bug 2231145 (CVE-2023-39952, CVE-2023-39953, CVE-2023-39954, CVE-2023-39955, CVE-2023-39958, CVE-2023-39959) - CVE-2023-39952 CVE-2023-39953 CVE-2023-39954 CVE-2023-39955 CVE-2023-39959 CVE-2023-39958 nextcloud: Multiple vulnerabilities
Summary: CVE-2023-39952 CVE-2023-39953 CVE-2023-39954 CVE-2023-39955 CVE-2023-39959 CV...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2023-39952, CVE-2023-39953, CVE-2023-39954, CVE-2023-39955, CVE-2023-39958, CVE-2023-39959
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2231146 2231147
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-10 17:54 UTC by Pedro Sampaio
Modified: 2023-08-11 12:21 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-10 23:02:13 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-08-10 17:54:55 UTC 
CVE(s):
CVE-2023-39952

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch for this issue. No known workarounds are available.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-cq8w-v4fh-4rjq
https://hackerone.com/reports/1808079
https://github.com/nextcloud/server/pull/38890
https://github.com/nextcloud/groupfolders/issues/1906


CVE(s):
CVE-2023-39953
user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also have access to. user_oidc 1.3.3 contains a patch. No known workarounds are available.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xx3h-v363-q36j
https://github.com/nextcloud/user_oidc/pull/642
https://hackerone.com/reports/2021684

CVE(s):
CVE-2023-39954
user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. user_oidc 1.3.3 contains a patch. No known workarounds are available.

https://hackerone.com/reports/1994328
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f92-5c8p-f6gq
https://github.com/nextcloud/user_oidc/pull/636

CVE(s):
CVE-2023-39955
Notes is a note-taking app for Nextcloud, an open-source cloud platform. Starting in version 4.4.0 and prior to version 4.8.0, when creating a note file with HTML, the content is rendered in the preview instead of the file being offered to download. Nextcloud Notes app version 4.8.0 contains a patch for the issue. No known workarounds are available.

https://hackerone.com/reports/1924355
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6g88-37x7-4vw6
https://github.com/nextcloud/notes/pull/1031
Comment 1 Pedro Sampaio 2023-08-10 17:55:15 UTC 
Created nextcloud tracking bugs for this issue:

Affects: epel-8 [bug 2231147]
Affects: fedora-all [bug 2231146]
Comment 2 Product Security DevOps Team 2023-08-10 23:02:12 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Pedro Sampaio 2023-08-11 12:21:02 UTC 
CVE-2023-39959
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

https://hackerone.com/reports/1832126
https://github.com/nextcloud/server/pull/38747
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g97r-8ffm-hfpj

CVE-2023-39958
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

https://github.com/nextcloud/server/pull/38773
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h
https://hackerone.com/reports/1258448
Note You need to log in before you can comment on or make changes to this bug.