diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2021-03-01 13:56:37 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-01 13:56:37 +0300 |
| commit | f6e9aa7f8dabe8a6e1fbcd5bb3dad78e197c22ba (patch) | |
| tree | d19142b857a9b495561a4623fa9b2fecc965246d | |
| parent | 815990046a622043f8af5e25c9bdbb99d87e708a (diff) | |
| parent | b6af1ba8674819850e0471b1ce1356ab91875219 (diff) | |
Merge pull request #78 from nextcloud-gmbh/sa/867164
2021/006 - Advisory for #867164
| -rw-r--r-- | server/nc-sa-2021-006.json | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/server/nc-sa-2021-006.json b/server/nc-sa-2021-006.json new file mode 100644 index 0000000..0d5e183 --- /dev/null +++ b/server/nc-sa-2021-006.json @@ -0,0 +1,31 @@ +{ + "Title": "External storage app saves password for all users in the database", + "Timestamp": 1601719200, + "Risk": 1, + "CVSS3": { + "score": 5.3, + "vector": "AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:L" + }, + "CWE": { + "id": 257, + "name": "Storing Passwords in a Recoverable Format" + }, + "HackerOne": 867164, + "Affected":[ + { + "Version":"20.0.0", + "CVE":"CVE-2020-8296", + "Operator":"<" + } + ], + "Description":"A missing condition in Nextcloud Server 19 and prior caused the external storage app to always store the users password in a recoverable format.", + "ActionTaken": "The error has been fixed. Incorrectly stored passwords have been automatically cleaned-up from your database.", + "Acknowledgment":[ + { + "Name": "Anderson Luiz Alves", + "Mail": "alacn1@gmail.com", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Server is upgraded to 20.0.0." +} |