Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/security-advisories.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/old/server/nc-sa-2018-001.json
diff options
context:
space:
mode:
Diffstat (limited to 'old/server/nc-sa-2018-001.json')
-rw-r--r--old/server/nc-sa-2018-001.json36
1 files changed, 36 insertions, 0 deletions
diff --git a/old/server/nc-sa-2018-001.json b/old/server/nc-sa-2018-001.json
new file mode 100644
index 0000000..9c4f3f1
--- /dev/null
+++ b/old/server/nc-sa-2018-001.json
@@ -0,0 +1,36 @@
+{
+ "Title": "App password scope can be changed for other users",
+ "Timestamp": 1517961600,
+ "Risk": 1,
+ "CVSS3": {
+ "score": 3.5,
+ "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"
+ },
+ "CWE": {
+ "id": 639,
+ "name": "Authorization Bypass Through User-Controlled Key"
+ },
+ "HackerOne": 297751,
+ "Affected":[
+ {
+ "Version":"12.0.5",
+ "CVE":"CVE-2017-0936",
+ "Operator":"<"
+ },
+ {
+ "Version":"11.0.7",
+ "CVE":"CVE-2017-0936",
+ "Operator":"<"
+ }
+ ],
+ "Description":"A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.",
+ "ActionTaken": "The error has been fixed and regression tests been added.",
+ "Acknowledgment":[
+ {
+ "Name": "Carl Pearson",
+ "Website": "https://cp270.wordpress.com/",
+ "Reason": "Vulnerability discovery and disclosure."
+ }
+ ],
+ "Resolution": "It is recommended that all instances are upgraded to Nextcloud 12.0.5."
+}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-20 20:32:13 +0300