Merge pull request #23 from nextcloud/new-github-advisory-workflow

New GitHub advisory workflow

1 files changed, 35 insertions, 0 deletions

diff --git a/old/server/nc-sa-2020-018.json b/old/server/nc-sa-2020-018.json
new file mode 100644
index 0000000..8a3a38a
--- /dev/null
+++ b/old/server/nc-sa-2020-018.json
@@ -0,0 +1,35 @@
+{
+   "Title": "Missing ownership check on remote wipe endpoint",
+   "Timestamp": 1584532800,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 7.7,
+      "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H"
+   },
+   "CWE": {
+      "id": 639,
+      "name": "Insecure Direct Object Reference"
+   },
+   "HackerOne": 819807,
+   "Affected":[
+      {
+         "Version":"18.0.3",
+         "CVE":"CVE-2020-8154",
+         "Operator":"<"
+      },
+      {
+         "Version":"17.0.5",
+         "CVE":"CVE-2020-8154",
+         "Operator":"<"
+      }
+   ],
+   "Description":"An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Tommy Suriel",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Nextcloud Server is upgraded to 18.0.3."
+}