diff options
author | Joas Schilling <coding@schilljs.com> | 2020-01-31 17:24:05 +0300 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2020-01-31 17:24:05 +0300 |
commit | 02675431f168e1c8094280df7615329053593221 (patch) | |
tree | 3bbead26384df9ff07eca10e6a4fbef3140d51eb /advisories/nc-sa-2020-005.php | |
parent | eba4489a58c7d9bee211d04f9390e35e73e68abb (diff) |
Add new advisories
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'advisories/nc-sa-2020-005.php')
-rw-r--r-- | advisories/nc-sa-2020-005.php | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/advisories/nc-sa-2020-005.php b/advisories/nc-sa-2020-005.php new file mode 100644 index 00000000..d80ef6b6 --- /dev/null +++ b/advisories/nc-sa-2020-005.php @@ -0,0 +1,34 @@ +<div class="row page-content-header"> +<div class="col-md-12"> + <h1>Security Advisory</h1> + <a href="/security/advisories/">Back to advisories</a> +</div> +</div> +<div class="row"> + <div class="col-md-12"> + <h2>Missing default timeout on HTTP requests (NC-SA-2020-005)</h2> + <p>4th September 2019</p> + <p>Risk level: <strong>Low</strong></p> + <p>CVSS v3 Base Score: 4.3 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L">AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</a>)</p> + <p>CWE: <a href="https://cwe.mitre.org/data/definitions/1088.html">Synchronous Access of Remote Resource without Timeout (CWE-1088)</a></p> + <p>HackerOne report: <a href="https://hackerone.com/reports/592864">592864</a></p> + <h3>Description</h3> + <p>Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long.</p> + <h3>Affected Software</h3> + <ul> + <li>Nextcloud Server < <strong>17.0.0</strong> (CVE assignment pending)</li> + + </ul> + <h3>Action Taken</h3> + <p>The error has been fixed.</p> + <h3>Resolution</h3> + <p>It is recommended that the Nextcloud Server is upgraded to 17.0.0.</p> + <h3>Acknowledgements</h3> + <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> + <ul> + <li><a href="https://twitter.com/joshmdx" target="_blank" rel="noreferrer">Joshua Maddux (jdmaddux@gmail.com) - Vulnerability discovery and disclosure.</a></li> + </ul> + <br/> + <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small> + </div> +</div> |