Same vulnerability as www-apps/owncloud in bug #589222 Per $URL: We ship Guzzle 5 as part of Nextcloud. This handles http requests and supports HTTP_PROXY environment variable which can be abused, in some special scenario’s, by an attacker to read content. In the worst case, when you use the ajax cron feature, an attacker can potentially see external storage credentials and data. We recommend not to use the ajax cron feature but the system cron if possible, as that also improves performance and reliability. As a precaution and because security and privacy are paramount for our users, we released a security update New version 9.0.53 is in tree, and older vulnerable versions have been dropped
(In reply to Bernard Cafarelli from comment #0) > Same vulnerability as www-apps/owncloud in bug #589222 > > Per $URL: > We ship Guzzle 5 as part of Nextcloud. This handles http requests and > supports HTTP_PROXY environment variable which can be abused, in some > special scenario’s, by an attacker to read content. In the worst case, when > you use the ajax cron feature, an attacker can potentially see external > storage credentials and data. We recommend not to use the ajax cron feature > but the system cron if possible, as that also improves performance and > reliability. > > As a precaution and because security and privacy are paramount for our > users, we released a security update > > New version 9.0.53 is in tree, and older vulnerable versions have been > dropped Bernard, thanks for the quick push and fix!
