Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/nextcloud.com.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/advisories
diff options
context:
space:
mode:
authorMorris Jobke <hey@morrisjobke.de>2019-04-12 18:45:01 +0300
committerMorris Jobke <hey@morrisjobke.de>2019-04-12 18:45:01 +0300
commitbcc21648b0817639939866322e678b349459f300 (patch)
treefb795a868d1cc9d8fbebed7b6ffc96381c715e37 /advisories
parent2ae03864c3462fe5944016cb271951d6e0de674f (diff)
Add generated advisories
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Diffstat (limited to 'advisories')
-rw-r--r--advisories/advisories.rss12
-rw-r--r--advisories/full-list.php35
-rw-r--r--advisories/nc-sa-2019-002.php37
-rw-r--r--advisories/nc-sa-2019-003.php36
4 files changed, 120 insertions, 0 deletions
diff --git a/advisories/advisories.rss b/advisories/advisories.rss
index 67c8d56a..70e3e1f5 100644
--- a/advisories/advisories.rss
+++ b/advisories/advisories.rss
@@ -5,6 +5,18 @@
<link>https://nextcloud.com/security/advisories/</link>
<description>The Nextcloud security advisories as a RSS feed</description>
<ttl>1800</ttl><item>
+ <title>Server: Improper share updates could result in extended data access (NC-SA-2019-003)</title>
+ <description>A bug could expose more data in reshared link shares than intended by the sharer.&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://nextcloud.com/security/advisory/?id=nC-SA-2019-003&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
+ <link>https://nextcloud.com/security/advisory/?id=nC-SA-2019-003</link>
+ <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2019-003</guid>
+ <pubDate>Fri, 12 Apr 2019 14:00:00 +0200</pubDate>
+ </item><item>
+ <title>Server: Improper access control checks for share expiration date (NC-SA-2019-002)</title>
+ <description>A missing check could give recipient the possibility to extend the expiration date of a share they received.&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://nextcloud.com/security/advisory/?id=nC-SA-2019-002&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
+ <link>https://nextcloud.com/security/advisory/?id=nC-SA-2019-002</link>
+ <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2019-002</guid>
+ <pubDate>Fri, 12 Apr 2019 14:00:00 +0200</pubDate>
+ </item><item>
<title>Server: Improper access control checks for single share previews (NC-SA-2018-014)</title>
<description>A missing check could give unauthorized access to the previews of single file password protected shares.&lt;br/&gt;&lt;hr/&gt;&lt;p&gt;&lt;strong&gt;&lt;a href=&quot;https://nextcloud.com/security/advisory/?id=nC-SA-2018-014&quot;&gt;For more information please consult the official advisory.&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;</description>
<link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-014</link>
diff --git a/advisories/full-list.php b/advisories/full-list.php
index 28985e30..5c7e3858 100644
--- a/advisories/full-list.php
+++ b/advisories/full-list.php
@@ -1,5 +1,40 @@
<hr>
+<h2>2019</h2>
+
+<h3>Nextcloud Server 15.0.0</h3>
+<ul>
+ <li><a href="/security/advisory/?id=NC-SA-2019-003">Improper share updates could result in extended data access (NC-SA-2019-003)</a> 2019-04-12</li>
+ <li><a href="/security/advisory/?id=NC-SA-2019-002">Improper access control checks for share expiration date (NC-SA-2019-002)</a> 2019-04-12</li>
+</ul>
+
+<h3>Nextcloud Server 14.0.5</h3>
+<ul>
+ <li><a href="/security/advisory/?id=NC-SA-2019-003">Improper share updates could result in extended data access (NC-SA-2019-003)</a> 2019-04-12</li>
+</ul>
+
+<h3>Nextcloud Server 13.0.9</h3>
+<ul>
+ <li><a href="/security/advisory/?id=NC-SA-2019-003">Improper share updates could result in extended data access (NC-SA-2019-003)</a> 2019-04-12</li>
+</ul>
+
+<h3>Nextcloud Server 14.0.4</h3>
+<ul>
+ <li><a href="/security/advisory/?id=NC-SA-2019-002">Improper access control checks for share expiration date (NC-SA-2019-002)</a> 2019-04-12</li>
+</ul>
+
+<h3>Nextcloud Server 13.0.8</h3>
+<ul>
+ <li><a href="/security/advisory/?id=NC-SA-2019-002">Improper access control checks for share expiration date (NC-SA-2019-002)</a> 2019-04-12</li>
+</ul>
+
+<h3>Nextcloud Server 12.0.13</h3>
+<ul>
+ <li><a href="/security/advisory/?id=NC-SA-2019-002">Improper access control checks for share expiration date (NC-SA-2019-002)</a> 2019-04-12</li>
+</ul>
+
+<hr>
+
<h2>2018</h2>
<h3>Nextcloud Server 14.0.0</h3>
diff --git a/advisories/nc-sa-2019-002.php b/advisories/nc-sa-2019-002.php
new file mode 100644
index 00000000..1578aaff
--- /dev/null
+++ b/advisories/nc-sa-2019-002.php
@@ -0,0 +1,37 @@
+<div class="row page-content-header">
+<div class="col-md-12">
+ <h1>Security Advisory</h1>
+ <a href="/security/advisories/">Back to advisories</a>
+</div>
+</div>
+<div class="row">
+ <div class="col-md-12">
+ <h2>Improper access control checks for share expiration date (NC-SA-2019-002)</h2>
+ <p>12th April 2019</p>
+ <p>Risk level: <strong>Low</strong></p>
+ <p>CVSS v3 Base Score: 4.8 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N">AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</a>)</p>
+ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/284.html">Improper Access Control - Generic (CWE-284)</a></p>
+ <p>HackerOne report: <a href="https://hackerone.com/reports/447494">447494</a></p>
+ <h3>Description</h3>
+ <p>A missing check could give recipient the possibility to extend the expiration date of a share they received.</p>
+ <h3>Affected Software</h3>
+ <ul>
+ <li>Nextcloud Server &lt; <strong>15.0.0</strong> (CVE assignment pending)</li>
+<li>Nextcloud Server &lt; <strong>14.0.4</strong> (CVE assignment pending)</li>
+<li>Nextcloud Server &lt; <strong>13.0.8</strong> (CVE assignment pending)</li>
+<li>Nextcloud Server &lt; <strong>12.0.13</strong> (CVE assignment pending)</li>
+
+ </ul>
+ <h3>Action Taken</h3>
+ <p>The error has been fixed.</p>
+ <h3>Resolution</h3>
+ <p>It is recommended that all instances are upgraded to Nextcloud 15.0.0, Nextcloud 14.0.4, Nextcloud 13.0.8 or 12.0.13.</p>
+ <h3>Acknowledgements</h3>
+ <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p>
+ <ul>
+ <li><a href="https://cp270.wordpress.com" target="_blank" rel="noreferrer">Carl Pearson - Vulnerability discovery and disclosure.</a></li>
+ </ul>
+ <br/>
+ <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small>
+ </div>
+</div>
diff --git a/advisories/nc-sa-2019-003.php b/advisories/nc-sa-2019-003.php
new file mode 100644
index 00000000..c1429e98
--- /dev/null
+++ b/advisories/nc-sa-2019-003.php
@@ -0,0 +1,36 @@
+<div class="row page-content-header">
+<div class="col-md-12">
+ <h1>Security Advisory</h1>
+ <a href="/security/advisories/">Back to advisories</a>
+</div>
+</div>
+<div class="row">
+ <div class="col-md-12">
+ <h2>Improper share updates could result in extended data access (NC-SA-2019-003)</h2>
+ <p>12th April 2019</p>
+ <p>Risk level: <strong>Low</strong></p>
+ <p>CVSS v3 Base Score: 9.6 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N">AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</a>)</p>
+ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/284.html">Improper Access Control - Generic (CWE-284)</a></p>
+ <p>HackerOne report: <a href="https://hackerone.com/reports/231917">231917</a></p>
+ <h3>Description</h3>
+ <p>A bug could expose more data in reshared link shares than intended by the sharer.</p>
+ <h3>Affected Software</h3>
+ <ul>
+ <li>Nextcloud Server &lt; <strong>15.0.0</strong> (CVE assignment pending)</li>
+<li>Nextcloud Server &lt; <strong>14.0.5</strong> (CVE assignment pending)</li>
+<li>Nextcloud Server &lt; <strong>13.0.9</strong> (CVE assignment pending)</li>
+
+ </ul>
+ <h3>Action Taken</h3>
+ <p>The error has been fixed.</p>
+ <h3>Resolution</h3>
+ <p>It is recommended that all instances are upgraded to Nextcloud 15.0.0, 14.0.5 or 13.0.9.</p>
+ <h3>Acknowledgements</h3>
+ <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p>
+ <ul>
+ <li>Fabian Riechsteiner - recretix systems AG - Vulnerability discovery and disclosure.</li>
+ </ul>
+ <br/>
+ <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small>
+ </div>
+</div>
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-02 12:49:42 +0300