diff options
author | Joas Schilling <coding@schilljs.com> | 2020-08-24 10:57:55 +0300 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2020-08-24 10:57:55 +0300 |
commit | e6a9c8fb515affc00a1770572aab5baf934a65f6 (patch) | |
tree | a2c70c085b712f30e7f6fd234e9db29c41cbb59a | |
parent | 465892edf62a12842bcd838dd979e9b15418fc40 (diff) |
Advisory for #924393
Signed-off-by: Joas Schilling <coding@schilljs.com>
-rw-r--r-- | server/nc-sa-2020-037.json | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/server/nc-sa-2020-037.json b/server/nc-sa-2020-037.json new file mode 100644 index 0000000..a0fe9d9 --- /dev/null +++ b/server/nc-sa-2020-037.json @@ -0,0 +1,33 @@ +{ + "Title": "PIN for passwordless WebAuthn is asked for but not verified", + "Timestamp": 1598356800, + "Risk": 1, + "CVSS3": { + "score": 4.3, + "vector": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 287, + "name": "Improper Authentication - Generic" + }, + "HackerOne": 924393, + "Affected":[ + { + "Version":"19.0.2", + "CVE":"CVE-2020-8236", + "Operator":"<" + } + ], + "Description":"A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Dominik Schürmann", + "Mail": "contact@cotech.de", + "Company": "COTECH", + "Website": "https://www.cotech.de/", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 19.0.2." +} |