diff options
author | Morris Jobke <hey@morrisjobke.de> | 2020-10-06 17:56:40 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-06 17:56:40 +0300 |
commit | a0ff3b973edf793c6313052505fd362905cc3609 (patch) | |
tree | d169fe6ad720a6d236984a31531a5780e0724dfd | |
parent | c46383cfcd11b6cd6dac24615290ed3739415578 (diff) | |
parent | 4c7e0224fe645fa36edfbfe3dff104ebd9cbdfaa (diff) |
Merge pull request #69 from nextcloud-gmbh/sa/661051-and-742588
2020/038 & 2020/039 - Advisory for #661051 and #742588
-rw-r--r-- | server/nc-sa-2020-038.json | 43 | ||||
-rw-r--r-- | server/nc-sa-2020-039.json | 33 |
2 files changed, 76 insertions, 0 deletions
diff --git a/server/nc-sa-2020-038.json b/server/nc-sa-2020-038.json new file mode 100644 index 0000000..aaf27f8 --- /dev/null +++ b/server/nc-sa-2020-038.json @@ -0,0 +1,43 @@ +{ + "Title": "Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file", + "Timestamp": 1598400000, + "Risk": 1, + "CVSS3": { + "score": 1.8, + "vector": "AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + "CWE": { + "id": 657, + "name": "Violation of Secure Design Principles" + }, + "HackerOne": 661051, + "Affected":[ + { + "Version":"19.0.2", + "CVE":"CVE-2020-8133", + "Operator":"<" + }, + { + "Version":"18.0.8", + "CVE":"CVE-2020-8133", + "Operator":"<" + }, + { + "Version":"17.0.10", + "CVE":"CVE-2020-8133", + "Operator":"<" + } + ], + "Description":"A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Kevin \"Kenny\" Niehage", + "Mail": "kenny@syseleven.de", + "Company": "SysEleven GmbH", + "Website": "https://www.syseleven.de/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.2." +} diff --git a/server/nc-sa-2020-039.json b/server/nc-sa-2020-039.json new file mode 100644 index 0000000..7d29f4a --- /dev/null +++ b/server/nc-sa-2020-039.json @@ -0,0 +1,33 @@ +{ + "Title": "Downgrade encryption scheme and break integrity through known-plaintext attack", + "Timestamp": 1598400000, + "Risk": 1, + "CVSS3": { + "score": 5.3, + "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N" + }, + "CWE": { + "id": 310, + "name": "Cryptographic Issues - Generic" + }, + "HackerOne": 742588, + "Affected":[ + { + "Version":"19.0.2", + "CVE":"CVE-2020-8150", + "Operator":"<" + } + ], + "Description":"A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Kevin \"Kenny\" Niehage", + "Mail": "kenny@syseleven.de", + "Company": "SysEleven GmbH", + "Website": "https://www.syseleven.de/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.2." +} |