diff options
author | Joas Schilling <coding@schilljs.com> | 2018-02-08 14:24:35 +0300 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2018-02-08 17:22:57 +0300 |
commit | beade6bbacea2a48a8b63f30d9a6c61b2c912371 (patch) | |
tree | 7b4866b3be314bbe3001925bc9807994ad7edf48 /advisories | |
parent | 7d454e413fa423d3962092120555b8f87bc925fe (diff) |
Publish SA-2018-001
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'advisories')
-rw-r--r-- | advisories/advisories.rss | 6 | ||||
-rw-r--r-- | advisories/advisory-side.php | 8 | ||||
-rw-r--r-- | advisories/nc-sa-2018-001.php | 38 | ||||
-rw-r--r-- | advisories/server-list-part.php | 6 |
4 files changed, 51 insertions, 7 deletions
diff --git a/advisories/advisories.rss b/advisories/advisories.rss index 65a2d994..f6ed964a 100644 --- a/advisories/advisories.rss +++ b/advisories/advisories.rss @@ -5,6 +5,12 @@ <link>https://nextcloud.com/security/advisories/</link> <description>The Nextcloud security advisories as a RSS feed</description> <ttl>1800</ttl><item> + <title>Server: App password scope can be changed for other users (nC-SA-2018-001)</title> + <description><p>A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2018-001">For more information please consult the official advisory.</a></strong></p></description> + <link>https://nextcloud.com/security/advisory/?id=nC-SA-2018-001</link> + <guid isPermaLink="true">https://nextcloud.com/security/advisory/?id=nC-SA-2018-001</guid> + <pubDate>Wed, 07 Feb 2018 01:00:00 +0100</pubDate> + </item><item> <title>Server: Calendar and addressbook names disclosed (nC-SA-2017-012)</title> <description><p>A logical error caused disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and adressbook has been disclosed.</p><br/><hr/><p><strong><a href="https://nextcloud.com/security/advisory/?id=nC-SA-2017-012">For more information please consult the official advisory.</a></strong></p></description> <link>https://nextcloud.com/security/advisory/?id=nC-SA-2017-012</link> diff --git a/advisories/advisory-side.php b/advisories/advisory-side.php index 4a1b1521..6ec142d8 100644 --- a/advisories/advisory-side.php +++ b/advisories/advisory-side.php @@ -1,6 +1,2 @@ -<br/><p>Nextcloud server 11.0.3</p> -<a href="/security/advisory/?id=nc-sa-2017-007">DOM XSS vulnerability in search dialogue</a><br/> -<a href="/security/advisory/?id=nc-sa-2017-008">Reflected XSS in error pages</a><br/> -<a href="/security/advisory/?id=nc-sa-2017-009">Limitation of app specific password scope can be bypassed</a><br/> -<a href="/security/advisory/?id=nc-sa-2017-010">Stored XSS in Gallery application</a><br/> -<a href="/security/advisory/?id=nc-sa-2017-011">Share tokens for public calendars disclosed</a><br/> +<br/><p>Nextcloud server 12.0.5</p> +<a href="/security/advisory/?id=nc-sa-2018-001">App password scope can be changed for other users</a><br/> diff --git a/advisories/nc-sa-2018-001.php b/advisories/nc-sa-2018-001.php new file mode 100644 index 00000000..b9efadca --- /dev/null +++ b/advisories/nc-sa-2018-001.php @@ -0,0 +1,38 @@ +<div class="row page-content-header"> +<div class="col-md-4"> + <h1>Security Advisory</h1> + <a href="/security/advisories/">Back to advisories</a> +</div> +</div> +<div class="row"> + <div class="col-md-4"> + <?php get_template_part('advisories/advisory-side'); ?> + </div> + <div class="col-md-8"> + <h2>App password scope can be changed for other users (NC-SA-2018-001)</h2> + <p>7th February 2018</p> + <p>Risk level: <strong>Low</strong></p> + <p>CVSS v3 Base Score: 3.5 (<a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L">AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L</a>)</p> + <p>CWE: <a href="https://cwe.mitre.org/data/definitions/639.html">Authorization Bypass Through User-Controlled Key (CWE-639)</a></p> + <p>HackerOne report: <a href="https://hackerone.com/reports/297751">297751</a></p> + <h3>Description</h3> + <p><p>A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.</p> +</p> + <h3>Affected Software</h3> + <ul> + <li>Nextcloud Server < <strong>12.0.5</strong> (CVE assignment pending)</li> +<li>Nextcloud Server < <strong>11.0.7</strong> (CVE assignment pending)</li> + + </ul> + <h3>Action Taken</h3> + <p><p>The error has been fixed and regression tests been added.</p> +</p> + <h3>Acknowledgements</h3> + <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> + <ul> + <li><a href="https://cp270.wordpress.com/" target="_blank" rel="noreferrer">Carl Pearson - Vulnerability discovery and disclosure.</a></li> + </ul> + <br/> + <small style="color:grey">This advisory is licensed <a href="https://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.</small> + </div> +</div> diff --git a/advisories/server-list-part.php b/advisories/server-list-part.php index a7d82df0..b83665cd 100644 --- a/advisories/server-list-part.php +++ b/advisories/server-list-part.php @@ -1,4 +1,8 @@ -<p>Version 11.0.3</p> +<p>Version 12.0.5</p> +<a href="/security/advisory/?id=nc-sa-2018-001">App password scope can be changed for other users</a><br> +<br/><p>Version 11.0.7</p> +<a href="/security/advisory/?id=nc-sa-2018-001">App password scope can be changed for other users</a><br> +<br/><p>Version 11.0.3</p> <a href="/security/advisory/?id=nc-sa-2017-007">DOM XSS vulnerability in search dialogue</a><br> <a href="/security/advisory/?id=nc-sa-2017-008">Reflected XSS in error pages</a><br> <a href="/security/advisory/?id=nc-sa-2017-009">Limitation of app specific password scope can be bypassed</a><br> |