Merge pull request #69 from nextcloud-gmbh/sa/661051-and-742588

2020/038 & 2020/039 - Advisory for #661051 and #742588
author: Morris Jobke <hey@morrisjobke.de> 2020-10-06 17:56:40 +0300
committer: GitHub <noreply@github.com> 2020-10-06 17:56:40 +0300
commit: a0ff3b973edf793c6313052505fd362905cc3609 (patch)
tree: d169fe6ad720a6d236984a31531a5780e0724dfd
parent: c46383cfcd11b6cd6dac24615290ed3739415578 (diff)
parent: 4c7e0224fe645fa36edfbfe3dff104ebd9cbdfaa (diff)
2 files changed, 76 insertions, 0 deletions
diff --git a/server/nc-sa-2020-038.json b/server/nc-sa-2020-038.json
new file mode 100644
index 0000000..aaf27f8
--- /dev/null
+++ b/server/nc-sa-2020-038.json
@@ -0,0 +1,43 @@
+{
+   "Title": "Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file",
+   "Timestamp": 1598400000,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 1.8,
+      "vector": "AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N"
+   },
+   "CWE": {
+      "id": 657,
+      "name": "Violation of Secure Design Principles"
+   },
+   "HackerOne": 661051,
+   "Affected":[
+      {
+         "Version":"19.0.2",
+         "CVE":"CVE-2020-8133",
+         "Operator":"<"
+      },
+      {
+         "Version":"18.0.8",
+         "CVE":"CVE-2020-8133",
+         "Operator":"<"
+      },
+      {
+         "Version":"17.0.10",
+         "CVE":"CVE-2020-8133",
+         "Operator":"<"
+      }
+   ],
+   "Description":"A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Kevin \"Kenny\" Niehage",
+         "Mail": "kenny@syseleven.de",
+         "Company": "SysEleven GmbH",
+         "Website": "https://www.syseleven.de/",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.2."
+}
diff --git a/server/nc-sa-2020-039.json b/server/nc-sa-2020-039.json
new file mode 100644
index 0000000..7d29f4a
--- /dev/null
+++ b/server/nc-sa-2020-039.json
@@ -0,0 +1,33 @@
+{
+   "Title": "Downgrade encryption scheme and break integrity through known-plaintext attack",
+   "Timestamp": 1598400000,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 5.3,
+      "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N"
+   },
+   "CWE": {
+      "id": 310,
+      "name": "Cryptographic Issues - Generic"
+   },
+   "HackerOne": 742588,
+   "Affected":[
+      {
+         "Version":"19.0.2",
+         "CVE":"CVE-2020-8150",
+         "Operator":"<"
+      }
+   ],
+   "Description":"A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Kevin \"Kenny\" Niehage",
+         "Mail": "kenny@syseleven.de",
+         "Company": "SysEleven GmbH",
+         "Website": "https://www.syseleven.de/",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.2."
+}
author	Morris Jobke <hey@morrisjobke.de>	2020-10-06 17:56:40 +0300
committer	GitHub <noreply@github.com>	2020-10-06 17:56:40 +0300
commit	a0ff3b973edf793c6313052505fd362905cc3609 (patch)
tree	d169fe6ad720a6d236984a31531a5780e0724dfd
parent	c46383cfcd11b6cd6dac24615290ed3739415578 (diff)
parent	4c7e0224fe645fa36edfbfe3dff104ebd9cbdfaa (diff)